N**BSD-SA2023-005 su(1) bypass via pam_ksu(8)

Takehiko NOZAKI reporter

changed status to resolved

BUGFIX: Issue ~~#364~~ - N**BSD-SA2023-005 su(1) bypass via pam_ksu(8) see https://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2023-005.txt.asc

patches are derived from:

http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libpam/modules/pam_ksu/pam_ksu.c.diff?r1=1.9&r2=1.10 pam_ksu: No need for homedir access.
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libpam/modules/pam_ksu/pam_ksu.c.diff?r1=1.10&r2=1.11 pam_ksu(8): Allow homedir access during kuserok.

Otherwise, the default kuserok logic to look at ~targetuser/.k5login would be blocked by the security measure to thwart NetBSD-SA2023-005.

(There are other ways, e.g. setting SYSTEM-K5LOGIN in /etc/krb5.conf so the file is /etc/k5login.d/user instead of ~user/.k5login, but that's not the default configuration and there are plenty of deployments that rely on ~user/.k5login today.)

I reviewed libkrb5 for homedir access checks. There are three:
1. krb5_config_parse_file_multi, called only by: - verify_krb5_conf -- not relevant - krb5_config_parse_file -- not used here as far as I can tell, only by libhdb ldap logic and test code in heimdal - krb5_set_config_files -- used here only via krb5_init_context, which is done at this point
2. plugin_get_hosts in krbhst.c, used to look up hosts for KDC I/O, which shouldn't be happening at this point, so this is almost certainly unreachable; also it only appears to control whether some old plugin API can be used, long after we have read the krb5 config controlling which plugins are available, so this is probably harmless
3. krb5_kuserok, which is the one we want to allow
Note: This will have to be updated again in the next Heimdal update, which eliminates the global homedir access flag in favour of making the default per-context homedir access flag conditional on !issuid.

XXX pullup-10 XXX pullup-9 XXX pullup-8

→ <<cset 77bbf26e4e88>>

2023-12-18T08:23:36+00:00

Comments (2)

Takehiko NOZAKI reporter
cvsweb.netbsd.org/bsdweb.cgi/src/lib/libpam/modules/pam_ksu/pam_ksu.c.diff?r1=1.9&r2=1.11
- 2023-12-17T07:06:59+00:00
Takehiko NOZAKI reporter
- changed status to resolved
BUGFIX: Issue ~~#364~~ - N**BSD-SA2023-005 su(1) bypass via pam_ksu(8) see https://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2023-005.txt.asc

patches are derived from:
- http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libpam/modules/pam_ksu/pam_ksu.c.diff?r1=1.9&r2=1.10 pam_ksu: No need for homedir access.
- http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libpam/modules/pam_ksu/pam_ksu.c.diff?r1=1.10&r2=1.11 pam_ksu(8): Allow homedir access during kuserok.
  
  Otherwise, the default kuserok logic to look at ~targetuser/.k5login would be blocked by the security measure to thwart NetBSD-SA2023-005.
  
  (There are other ways, e.g. setting SYSTEM-K5LOGIN in /etc/krb5.conf so the file is /etc/k5login.d/user instead of ~user/.k5login, but that's not the default configuration and there are plenty of deployments that rely on ~user/.k5login today.)
  
  I reviewed libkrb5 for homedir access checks. There are three:
  1. krb5_config_parse_file_multi, called only by: - verify_krb5_conf -- not relevant - krb5_config_parse_file -- not used here as far as I can tell, only by libhdb ldap logic and test code in heimdal - krb5_set_config_files -- used here only via krb5_init_context, which is done at this point
  2. plugin_get_hosts in krbhst.c, used to look up hosts for KDC I/O, which shouldn't be happening at this point, so this is almost certainly unreachable; also it only appears to control whether some old plugin API can be used, long after we have read the krb5 config controlling which plugins are available, so this is probably harmless
  3. krb5_kuserok, which is the one we want to allow
  Note: This will have to be updated again in the next Heimdal update, which eliminates the global homedir access flag in favour of making the default per-context homedir access flag conditional on !issuid.
  
  XXX pullup-10 XXX pullup-9 XXX pullup-8
→ <<cset 77bbf26e4e88>>
- 2023-12-18T08:23:36+00:00
Log in to comment