After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 484750 - audit not supported when using verify-shadow or verify-crypt
audit not supported when using verify-shadow or verify-crypt
Status: RESOLVED OBSOLETE
Product: gdm
Classification: Core
Component: general
2.16.x
Other All
: Normal major
: ---
Assigned To: GDM maintainers
GDM maintainers
Depends on:
Blocks:
 
 
Reported: 2007-10-08 14:49 UTC by hf
Modified: 2010-06-04 20:23 UTC
See Also:
GNOME target: ---
GNOME version: 2.15/2.16



Description hf 2007-10-08 14:49:43 UTC
Please describe the problem:
When gdm (configured not to use PAM) logs a failed login attempt, 
it logs the username with it. 
This is a security risk, since if the user just got out of sync with the
login widget, she'll have her password logged. And she has to
get help from the admin to remove it - if she is aware of the
fact at all.

But it gets worse: gdm syslogs _everything_ with category
LOG_DAEMON which goes to the usually world-readable
/var/log/messages, instead of logging security-sensitive data with LOG_AUTH. 


Steps to reproduce:
1. Configure gdm without PAM (e.g. build x11/gdm from pkgsrc on NetBSD)
2. Log in in a hurry, getting out of sync with the username/password sequence of gdm.


Actual results:
Look up /var/log/messages, and find your password logged there.


Expected results:
Note a failed login, but do not log the username.

Does this happen every time?
Yes.

Other information:
See NetBSD PR #31417
http://www.netbsd.org/cgi-bin/query-pr-single.pl?number=31417
Comment 1 Brian Cameron 2007-10-08 21:55:39 UTC
Could you tell us which specific gdm_debug line should be removed from the code in order to avoid putting the password in the log file when debug is turned on?

Also, in your steps to reproduce you say "log in in a hurry, getting out of sync with the username/password sequence of gdm".

When you say this do you mean to say that password is logged to the logfile all the time, or only when the user enters their password when the GUI is asking for username?
Comment 2 hf 2007-10-09 15:04:57 UTC
(In reply to comment #1)
> Also, in your steps to reproduce you say "log in in a hurry, getting out of
> sync with the username/password sequence of gdm".
> 
> When you say this do you mean to say that password is logged to the logfile all
> the time, or only when the user enters their password when the GUI is asking
> for username?

The latter. It happens all the time, to us two-fingered typists...
Comment 3 hf 2007-10-09 15:21:23 UTC
(In reply to comment #1)
> Could you tell us which specific gdm_debug line should be removed from the code
> in order to avoid putting the password in the log file when debug is turned on?

From gdm 2.20 sources:

[hf@Gstoder] /<1>tmp/gdm-2.20.0 > grep -H -n "t authenticate user" */*.[ch]
daemon/verify-crypt.c:181:              g_warning (_("Couldn't authenticate user \"%s\""), login);
daemon/verify-crypt.c:195:              g_warning (_("Couldn't authenticate user \"%s\""), login);
daemon/verify-pam.c:1029:                       gdm_error (_("Couldn't authenticate user"));
daemon/verify-pam.c:1074:                       gdm_error (_("Couldn't authenticate user"));
daemon/verify-pam.c:1421:                       gdm_error (_("Couldn't authenticate user"));
daemon/verify-pam.c:1433:               gdm_error (_("Couldn't authenticate user"));
daemon/verify-shadow.c:202:             g_warning (_("Couldn't authenticate user \"%s\""), login);
daemon/verify-shadow.c:216:             g_warning (_("Couldn't authenticate user \"%s\""), login);
[hf@Gstoder] /<1>tmp/gdm-2.20.0 >

-- as you see, when gdm is configured to use PAM, it does not print the user. I have verified this on our Debian 4 machines. 

When gdm is configured to use shadow password or crypt, OTOH, it prints the user name (might be a password, mistakenly entered in the wrong moment or field), which ends up being logged to /var/log/messages (LOG_INFO).

Convert the above g_warning() messages in verify-{shadow,crypt}.c to what verify-pam.c does, and you should be fine.
Comment 4 hf 2007-10-09 15:31:00 UTC
(In reply to comment #3)
> Convert the above g_warning() messages in verify-{shadow,crypt}.c to what
> verify-pam.c does, and you should be fine.

That's only a stop-gap, though. Done properly, all authentication related messages should be syslogged to facility LOG_AUTH, or even LOG_AUTHPRIV, instead of LOG_DAEMON - the verify-pam.c code seems to get that right, instead of going through glib magic.
Comment 5 Brian Cameron 2007-10-10 00:21:21 UTC
Since this affects security, I went ahead and updated GDM 2.20 so that username is no longer sent to syslog in any error messages.   So that addresses the problem in the synopsis.  

However, I think this only partially fixes the problem.  I believe you are suggesting that GDM should properly audit when using shadow or crypt.  At the moment auditing only works with PAM.  I've updated the synopsis to highlight that we should support proper auditing for shadow and crypt as well.
Comment 6 William Jon McCann 2010-06-04 20:23:39 UTC
Thanks for taking the time to report this bug.
However, you are using a version that is too old and not supported anymore. GNOME developers are no longer working on that version, so unfortunately there will not be any bug fixes for the version that you use.

By upgrading to a newer version of GNOME you could receive bug fixes and new functionality. You may need to upgrade your Linux distribution to obtain a newer version of GNOME.
Please feel free to reopen this bug if the problem still occurs with a newer version of GNOME.