From owner-freebsd-security@FreeBSD.ORG Tue Jul 24 12:22:17 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 90A7F16A417 for ; Tue, 24 Jul 2007 12:22:17 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id 498DA13C45A for ; Tue, 24 Jul 2007 12:22:17 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (localhost [127.0.0.1]) by spam.des.no (Postfix) with ESMTP id C82932085; Tue, 24 Jul 2007 14:22:13 +0200 (CEST) X-Spam-Tests: AWL X-Spam-Learn: disabled X-Spam-Score: 0.0/3.0 X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on tim.des.no Received: from dwp.des.no (des.no [80.203.243.180]) by smtp.des.no (Postfix) with ESMTP id 3D8DB2082; Tue, 24 Jul 2007 14:22:13 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 1001) id 20BF6A1057; Tue, 24 Jul 2007 14:22:13 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Tom McLaughlin References: <1185167207.99537.22.camel@localhost> Date: Tue, 24 Jul 2007 14:22:13 +0200 In-Reply-To: <1185167207.99537.22.camel@localhost> (Tom McLaughlin's message of "Mon\, 23 Jul 2007 01\:06\:47 -0400") Message-ID: <86fy3evvnu.fsf@dwp.des.no> User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: sudo + pam_lastlog causes user to appear logged out in logs. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Jul 2007 12:22:17 -0000 Tom McLaughlin writes: > Hi, this was originally reported on ports@. [1] Someone noticed that > after after running sudo their session disappeared when running `w` > afterwards. I've done a little experimenting and this is caused when > pam_lastlog.so is included in sudo's pam file. This results in the user > still being logged in though according to the system logs the user has > logged out. There can only be one user at a time on a tty; if sudo records the target user in wtmp, information about the invoking user being logged in is overwritten. When sudo "logs out" the target user, it is as if nobody is logged in on that tty. Therefore neither su nor sudo should invoke pam_lastlog; FreeBSD's PAM configuration for su does not, and neither do e.g. Debian's or Ubuntu's PAM configurations for su and sudo. > I can confirm this on -CURRENT and -STABLE. I tested on a CentOS 5.0 > box and their pam_lastlog does not cause this with sudo so it appears to > be an issue specific to ours. Can someone take a look into this? Also, > is there any way sudo can work around this? Right now I've commented > out the session line in the pam file that is installed by the port so > most users will not be affected. Thanks. It is bad form to leave a service unconfigured in a PAM stack, as PAM will fall back to the default stack (if one exists) which may not be what you want. Instead, use pam_permit. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no