-
Bug
-
Resolution: Done-Errata
-
Normal
-
rhel-9.3.0.z
-
pam-1.5.1-18.el9
-
None
-
Impediment
-
None
-
sst_idm_sssd
-
ssg_idm
-
23
-
24
-
0
-
True
-
-
No
-
Red Hat Enterprise Linux
-
None
-
Pass
-
Automated
-
Unspecified Release Note Type - Unknown
-
-
x86_64
-
None
What were you trying to do that didn't work?
Bug related to the issue. Errata came on RHEL 8.4
- [1866866 - PAM can't identify the user when running via gnome-terminal in an X session](https://bugzilla.redhat.com/show_bug.cgi?id=1866866)
However, something changed and the behavior are still present.
Please provide the package NVR for which bug is seen:
RHEL8.5: pam 1.3.1-15.el8 - correct behaviour
RHEL9.1: 1.5.1-12.el9 and 1.5.1-15.el9 (9.3) exhibit the same problem
Steps to Reproduce:
1. Create "testuser" user and set password
2. Configure "testuser" user in sudoers to be able to sudo without password:
---
testuser ALL=(ALL) NOPASSWD: ALL
---
3. Congiure pam.d/sudo to verify the account based on group membership, for example
Comment out : "#account include system-auth" and replace with:
---
account sufficient pam_wheel.so trust group=users debug
---
4. Added the below line on /etc/pam.d/su
---
account sufficient pam_wheel.so trust group=users debug
---
4. Add user to users group: usermod -G users testuser
5. Ssh into the machine as "testuser" and issue "sudo su" or any "sudo <command>" and verify you can elevate successfully
Evidences:
RHEL 8.8
~~~
PAM Config
[testuser@winbind ~]$ cat /etc/pam.d/sudo
#%PAM-1.0
#auth include system-auth
account sufficient pam_wheel.so trust group=users debug
account include system-auth
password include system-auth
session include system-auth
[testuser@winbind ~]$ cat /etc/pam.d/su
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_rootok.so
account sufficient pam_wheel.so trust group=users debug
- Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid - Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so
Secure logs
Nov 14 13:37:44 winbind sshd[12902]: Accepted password for testuser from 192.168.122.1 port 37124 ssh2
Nov 14 13:37:44 winbind sshd[12902]: pam_unix(sshd:session): session opened for user testuser by (uid=0)
Nov 14 13:38:01 winbind sudo[12957]: pam_wheel(sudo:account): Access granted to 'testuser' for 'testuser'
Nov 14 13:38:01 winbind sudo[12957]: testuser : TTY=pts/1 ; PWD=/home/testuser ; USER=root ; COMMAND=/bin/su
Nov 14 13:38:01 winbind sudo[12957]: pam_unix(sudo:session): session opened for user root by testuser(uid=0)
Nov 14 13:38:01 winbind su[12958]: pam_wheel(su:account): Access granted to 'testuser' for 'root'
Nov 14 13:38:01 winbind su[12958]: pam_unix(su:session): session opened for user root by testuser(uid=0)
ssh from an external terminal
Nov 14 13:42:46 winbind sshd[13443]: Accepted password for testuser from 192.168.122.1 port 52170 ssh2
Nov 14 13:42:46 winbind systemd[13449]: pam_unix(systemd-user:session): session opened for user testuser by (uid=0)
Nov 14 13:42:46 winbind sshd[13443]: pam_unix(sshd:session): session opened for user testuser by (uid=0)
Nov 14 13:42:46 winbind sudo[13482]: pam_wheel(sudo:account): Access granted to 'testuser' for 'testuser'
Nov 14 13:42:46 winbind sudo[13482]: testuser : TTY=unknown ; PWD=/home/testuser ; USER=root ; COMMAND=/bin/su
Nov 14 13:42:46 winbind sudo[13482]: pam_unix(sudo:session): session opened for user root by (uid=0)
Nov 14 13:42:46 winbind su[13513]: pam_wheel(su:account): Access granted to 'testuser' for 'root'
Nov 14 13:42:46 winbind su[13513]: pam_unix(su:session): session opened for user root by (uid=0)
~~~
RHEL 9.3
~~~
PAM Config
[testuser@rhel91 ~]$ cat /etc/pam.d/sudo
#%PAM-1.0
#auth include system-auth
account sufficient pam_wheel.so trust group=users debug
account include system-auth
password include system-auth
session include system-auth
[testuser@rhel91 ~]$ cat /etc/pam.d/su
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_rootok.so
account sufficient pam_wheel.so trust group=users debug
- Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid - Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so
Secure logs
Nov 14 13:37:44 rhel91 sshd[9950]: Accepted password for testuser from 192.168.122.1 port 48546 ssh2
Nov 14 13:37:44 rhel91 sshd[9950]: pam_unix(sshd:session): session opened for user testuser(uid=1001) by (uid=0)
Nov 14 13:38:01 rhel91 sudo[9998]: pam_wheel(sudo:account): Access granted to 'testuser' for 'testuser'
Nov 14 13:38:01 rhel91 sudo[9998]: testuser : TTY=pts/1 ; PWD=/home/testuser ; USER=root ; COMMAND=/bin/su
Nov 14 13:38:01 rhel91 sudo[9998]: pam_unix(sudo:session): session opened for user root(uid=0) by testuser(uid=1001)
Nov 14 13:38:01 rhel91 su[9999]: pam_wheel(su:account): Access granted to 'testuser' for 'root'
Nov 14 13:38:01 rhel91 su[9999]: pam_unix(su:session): session opened for user root(uid=0) by testuser(uid=0)
ssh from an external terminal
Nov 14 13:42:46 rhel91 sshd[10340]: Accepted password for testuser from 192.168.122.1 port 53194 ssh2
Nov 14 13:42:46 rhel91 systemd[10346]: pam_unix(systemd-user:session): session opened for user testuser(uid=1001) by (uid=0)
Nov 14 13:42:46 rhel91 sshd[10340]: pam_unix(sshd:session): session opened for user testuser(uid=1001) by (uid=0)
Nov 14 13:42:46 rhel91 sudo[10381]: pam_wheel(sudo:account): Access granted to 'testuser' for 'testuser'
Nov 14 13:42:46 rhel91 sudo[10381]: testuser : PWD=/home/testuser ; USER=root ; COMMAND=/bin/su
Nov 14 13:42:46 rhel91 sudo[10381]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1001)
Nov 14 13:42:46 rhel91 su[10406]: pam_wheel(su:account): Access denied to 'root' for 'root' ----> pam_wheel is not picking up the original UID like in RHEL8.8 and it's recognising the user as root, it is then denying access.
Nov 14 13:42:46 rhel91 su[10406]: pam_unix(su:session): session opened for user root(uid=0) by (uid=0)
~~~
-
- The issue is reproduced only when we ssh from an external machine, even when the message said it is denied, the sudo su worked.
i.e: external host: ssh testuser@machine "sudo su"
Customer words:
Ultimately, the situation is that rules that use pam_wheel and are supposed to authorise and deny the user based on the original UID are not working. This is arguably worse than what was happening before 1.3.1-14.el8 where at least it was failing and denying access while now it's wrongly assigning root identity as the original UID, granting access to users who should be denied.
- links to
-
RHBA-2023:123902 pam bug fix and enhancement update
- mentioned on