Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: "Max R.D. Parmer" <maxp@××××××××.is>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] CoreOS vulnerability inherited from Gentoo?
Date: Tue, 31 May 2016 21:02:27
Message-Id: 1464728520.2608374.624071985.174A476B@webmail.messagingengine.com
In Reply to: Re: [gentoo-user] CoreOS vulnerability inherited from Gentoo? by "Max R.D. Parmer"
1 On Tue, May 31, 2016, at 11:07, Max R.D. Parmer wrote:
2 > On Tue, May 31, 2016, at 10:44, Mick wrote:
3 > > On Tuesday 31 May 2016 16:30:27 James wrote:
4 > > > Here is an interesting read::
5 > > >
6 > > > Security brief: CoreOS Linux Alpha remote SSH issue
7 > > > May 19, 2016 · By Matthew Garrett
8 > > >
9 > > > <snippets>
10 > > >
11 > > > Gentoo defaults to ending the PAM configuration with an optional pam_permit.
12 > > >
13 > > > This meant that failing both pam_unix and pam_sss on CoreOS systems would
14 > > > surprisingly result in authentication succeeding, and access being granted.
15 > > >
16 > > > The operator user was not used by CoreOS, but existed because it exists in
17 > > > the Gentoo Portage system from which CoreOS is derived.
18 > > > <end/snippets>
19 > > >
20 > > > Full read [1]. It kinda shows that CoreOS is derived from Gentoo
21 > > > and not ChromeOS; at least when time to blame a security lapse elsewhere....
22 > > >
23 > > >
24 > > > enjoy,
25 > > > James
26 > > >
27 > > > [1] https://coreos.com/blog/
28 > >
29 > > Does this mean we need to do anything to improve the security of our
30 > > systems?
31 >
32 > The interaction seems to be problematic when SSSD is introduced to the
33 > mix, as the SSSD documentation seems to assume a fallthrough to
34 > pam_permit.so. With a merely empty user password, I cannot trigger this
35 > issue. I will have to try with an expired account and a locked account
36 > later.
37 >
38 > the pam_permit.so line was introduced here:
39 > https://gitweb.gentoo.org/proj/pambase.git/commit/?id=ac9023eecfe3c13d212c548bb9d5d1b42a4e044b
40 >
41 > At the very least, it does seem like it ought to be pam_deny.so instead.
42 >
43 > I wonder if this issue is still even relevant for Kerberos users?
44 > https://bugs.gentoo.org/show_bug.cgi?id=333393
45 >
46
47 Yeah -- doesn't work with a locked or expired account either.
Report Message
Find on MARC Find on Google Groups