pam_access (1.7.0-1) improperly checks for group membership of a user.
Package version: package version: 1.7.0-1
Description
When the user configures /etc/security/access.conf (from now on referred to solely as access.conf) as seen in (1), pam_access.so does not match against (wheel) or (adm) upon an attempt by user [username] to log into the device on any tty, despite the fact that running "groups [username]" returns "wheel adm ..."
When access.conf is configured as shown in (2), the user is successfully matched with their default group named [username].
When access.conf is configured as shown in (3), the user is not matched for any of the groups who's corresponding GUI has been entered, with 1000, 999, and 998 being the user's default group named [username], adm, and wheel respectively.
pam_access.so is used because of the configuration of /etc/pam.d/login,system-local-login, and system-login. (all three can be seen bellow).
Config files:
access.conf (1):
+:(wheel) (adm):LOCAL
-:ALL:ALLaccess.conf (2):
+:(wheel) (adm):LOCAL
+:([username]) root:LOCAL
-:ALL:ALLaccess.conf (3):
+:(998) (999):LOCAL
+:(1000) root:LOCAL
-:ALL:ALL/etc/pam.d/login:
#%PAM-1.0
auth requisite pam_nologin.so
auth include system-local-login
account include system-local-login
session include system-local-login
password include system-local-login/etc/pam.d/system-local-login:
#%PAM-1.0
auth include system-login
account include system-login
password include system-login
session include system-login/etc/pam.d/system-login:
#%PAM-1.0
auth required pam_shells.so
auth requisite pam_nologin.so
auth include system-auth
account required pam_access.so debug
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_loginuid.so
session optional pam_keyinit.so force revoke
session include system-auth
session optional pam_motd.so
session optional pam_mail.so dir=/var/spool/mail standard quiet
session optional pam_umask.so
-session optional pam_systemd.so
session required pam_env.soLog files:
(retrieved by running journalctl -r with the debug option being passed to pam_access.so in system-login)
Log for (1):
Nov 26 15:17:09 [system-name] login[9354]: pam_access(login:account): from_match=2, "tty2"
Nov 26 15:17:09 [system-name] login[9354]: pam_access(login:account): string_match: tok=ALL, item=tty2
Nov 26 15:17:09 [system-name] login[9354]: pam_access(login:account): from_match: tok=ALL, item=tty2
Nov 26 15:17:09 [system-name] login[9354]: pam_access(login:account): list_match: list=ALL, item=[username]
Nov 26 15:17:09 [system-name] login[9354]: pam_access(login:account): user_match=2, "[username]"
Nov 26 15:17:09 [system-name] login[9354]: pam_access(login:account): string_match: tok=ALL, item=[username]
Nov 26 15:17:09 [system-name] login[9354]: pam_access(login:account): user_match: tok=ALL, item=[username]
Nov 26 15:17:09 [system-name] login[9354]: pam_access(login:account): list_match: list=ALL, item=[username]
Nov 26 15:17:09 [system-name] login[9354]: pam_access(login:account): line 5: - : ALL : ALL
Nov 26 15:17:09 [system-name] login[9354]: pam_access(login:account): user_match=0, "[username]"
Nov 26 15:17:09 [system-name] login[9354]: pam_access(login:account): group_match: grp=(adm), user=[username]
Nov 26 15:17:09 [system-name] login[9354]: pam_access(login:account): user_match: tok=(adm), item=[username]
Nov 26 15:17:09 [system-name] login[9354]: pam_access(login:account): group_match: grp=(wheel), user=[username]
Nov 26 15:17:09 [system-name] login[9354]: pam_access(login:account): user_match: tok=(wheel), item=[username]
Nov 26 15:17:09 [system-name] login[9354]: pam_access(login:account): list_match: list=(wheel) (adm), item=[username]
Nov 26 15:17:09 [system-name] login[9354]: pam_access(login:account): line 2: + : (wheel) (adm) : LOCAL
Nov 26 15:17:09 [system-name] login[9354]: pam_access(login:account): login_access: user=[username], from=tty2, file=/etc/security/access.confLog file for (2):
Nov 26 15:28:15 [system-name] login[11780]: pam_unix(login:session): session opened for user [username](uid=1000) by [username](uid=0)
Nov 26 15:28:15 [system-name] login[11780]: pam_access(login:account): from_match=1, "tty2"
Nov 26 15:28:15 [system-name] login[11780]: pam_access(login:account): string_match: tok=LOCAL, item=tty2
Nov 26 15:28:15 [system-name] login[11780]: pam_access(login:account): from_match: tok=LOCAL, item=tty2
Nov 26 15:28:15 [system-name] login[11780]: pam_access(login:account): list_match: list=LOCAL, item=[username]
Nov 26 15:28:15 [system-name] login[11780]: pam_access(login:account): user_match=1, "[username]"
Nov 26 15:28:15 [system-name] login[11780]: pam_access(login:account): string_match: tok=[username], item=[username]
Nov 26 15:28:15 [system-name] login[11780]: pam_access(login:account): user_match: tok=[username], item=[username]
Nov 26 15:28:15 [system-name] login[11780]: pam_access(login:account): list_match: list=[username] root, item=[username]
Nov 26 15:28:15 [system-name] login[11780]: pam_access(login:account): line 3: + : [username] root : LOCAL
Nov 26 15:28:15 [system-name] login[11780]: pam_access(login:account): user_match=0, "[username]"
Nov 26 15:28:15 [system-name] login[11780]: pam_access(login:account): group_match: grp=(adm), user=[username]
Nov 26 15:28:15 [system-name] login[11780]: pam_access(login:account): user_match: tok=(adm), item=[username]
Nov 26 15:28:15 [system-name] login[11780]: pam_access(login:account): group_match: grp=(wheel), user=[username]
Nov 26 15:28:15 [system-name] login[11780]: pam_access(login:account): user_match: tok=(wheel), item=[username]
Nov 26 15:28:15 [system-name] login[11780]: pam_access(login:account): list_match: list=(wheel) (adm), item=[username]
Nov 26 15:28:15 [system-name] login[11780]: pam_access(login:account): line 2: + : (wheel) (adm) : LOCAL
Nov 26 15:28:15 [system-name] login[11780]: pam_access(login:account): login_access: user=[username], from=tty2, file=/etc/security/access.confLog file for (3):
Nov 27 18:55:05 [system-name] login[32529]: Permission denied
Nov 27 18:55:05 [system-name] login[32529]: pam_access(login:account): access denied for user `[username]' from `tty2'
Nov 27 18:55:05 [system-name] login[32529]: pam_access(login:account): from_match=2, "tty2"
Nov 27 18:55:05 [system-name] login[32529]: pam_access(login:account): string_match: tok=ALL, item=tty2
Nov 27 18:55:05 [system-name] login[32529]: pam_access(login:account): from_match: tok=ALL, item=tty2
Nov 27 18:55:05 [system-name] login[32529]: pam_access(login:account): list_match: list=ALL, item=[username]
Nov 27 18:55:05 [system-name] login[32529]: pam_access(login:account): user_match=2, "[username]"
Nov 27 18:55:05 [system-name] login[32529]: pam_access(login:account): string_match: tok=ALL, item=[username]
Nov 27 18:55:05 [system-name] login[32529]: pam_access(login:account): user_match: tok=ALL, item=[username]
Nov 27 18:55:05 [system-name] login[32529]: pam_access(login:account): list_match: list=ALL, item=[username]
Nov 27 18:55:05 [system-name] login[32529]: pam_access(login:account): line 7: - : ALL : ALL
Nov 27 18:55:05 [system-name] login[32529]: pam_access(login:account): user_match=0, "[username]"
Nov 27 18:55:05 [system-name] login[32529]: pam_access(login:account): string_match: tok=root, item=[username]
Nov 27 18:55:05 [system-name] login[32529]: pam_access(login:account): user_match: tok=root, item=[username]
Nov 27 18:55:05 [system-name] login[32529]: pam_access(login:account): group_match: grp=(1000), user=[username]
Nov 27 18:55:05 [system-name] login[32529]: pam_access(login:account): user_match: tok=(1000), item=[username]
Nov 27 18:55:05 [system-name] login[32529]: pam_access(login:account): list_match: list=(1000) root, item=[username]
Nov 27 18:55:05 [system-name] login[32529]: pam_access(login:account): line 5: + : (1000) root : LOCAL
Nov 27 18:55:05 [system-name] login[32529]: pam_access(login:account): user_match=0, "[username]"
Nov 27 18:55:05 [system-name] login[32529]: pam_access(login:account): group_match: grp=(999), user=[username]
Nov 27 18:55:05 [system-name] login[32529]: pam_access(login:account): user_match: tok=(999), item=[username]
Nov 27 18:55:05 [system-name] login[32529]: pam_access(login:account): group_match: grp=(998), user=[username]
Nov 27 18:55:05 [system-name] login[32529]: pam_access(login:account): user_match: tok=(998), item=[username]
Nov 27 18:55:05 [system-name] login[32529]: pam_access(login:account): list_match: list=(998) (999), item=[username]
Nov 27 18:55:05 [system-name] login[32529]: pam_access(login:account): line 2: + : (998) (999) : LOCAL
Nov 27 18:55:05 [system-name] login[32529]: pam_access(login:account): login_access: user=[username], from=tty2, file=/etc/security/access.confBug reproduction
To reproduce the bug, simply edit access.conf to contain the statement +:(groupname):LOCAL or +:(GID):LOCAL on line 1.
Enabling debugging information for pam_access.so in system-login and trying to log in with any user who is a member of the group groupname, but such that that is not their default group if the line is using the groupname and not the GID (a.k.a, they should have to be explicitly stated under the group in the /etc/group file), will show the pam_access module failing to match the user properly.
Additional information:
This issue is being reported at the recommendation of fellow community members in an arch forums thread of the same name. The thread contains some further information in case it is required.