GNOME Bugzilla – Bug 781486
Password is kept in process memory after pam_open_session
Last modified: 2017-04-27 07:54:35 UTC
Created attachment 350049 [details] [review]
gnome-keyring PAM module saves the password of the user in a blob associated with a PAM handle, using pam_set_data (ph, "gkr_system_authtok"...) in stash_password_for_session (https://git.gnome.org/browse/gnome-keyring/tree/pam/gkr-pam-module.c?h=3.20.0#n785). This data is kept in the process memory once the PAM session is opened, which allows root user to read it, for example using gcore.
For example on an up-to-date XUbuntu 16.04 virtual machine with a user named "user", the password appears in the memory of "lightdm --session-child ...":
user@xubuntuvm:~/Desktop$ ps -ef |grep 'lightdm --session-child'
root 2330 934 0 09:32 ? 00:00:00 lightdm --session-child 12 19
user 2702 2680 0 09:33 pts/6 00:00:00 grep --color=auto lightdm --session-child
user@xubuntuvm:~/Desktop$ sudo gcore 2330
Saved corefile core.2330
user@xubuntuvm:~/Desktop$ strings core.2330 |grep -C3 MySecretPassword
# Moxa Intellio serial
This password leakage/recovery has recently been instrumented with tools such as mimipenguin (https://github.com/huntergregal/mimipenguin and https://github.com/n1nj4sec/mimipy).
As the password in "gkr_system_authtok" is only used when opening a session, which happens before lightdm's session-child process forks to the user session (line 568 of function session_child_run in http://bazaar.launchpad.net/~lightdm-team/lightdm/1.20/view/head:/src/session-child.c#L255), destroying the password in pam_sm_open_session implementation is possible and fixes this issue. If this suits you, please find attached a patch doing this.
The patch makes sense. I'm going to test it out locally for a bit, before merging it.
Thanks Merged into git master.