7.171. pam

Security Fixes

CVE-2011-3148

A stack-based buffer overflow flaw was found in the way the pam_env module parsed users' ~/.pam_environment files. If an application's PAM configuration contained "user_readenv=1" (this is not the default), a local attacker could use this flaw to crash the application or, possibly, escalate their privileges.

CVE-2011-3149

A denial of service flaw was found in the way the pam_env module expanded certain environment variables. If an application's PAM configuration contained user_readenv=1 (this is not the default), a local attacker could use this flaw to cause the application to enter an infinite loop.

Bug Fixes

BZ#680204

The limit on number of processes was set in the /etc/limits.d/90-nproc.conf file to 1024 processes even for the root account. Consequently, root processes confined with SELinux, such as the prelink utility started from the crond daemon, failed to start if there were more than 1024 processes running with UID 0 on the system. The limit for root processes has been set to unlimited and the confined processes are no longer blocked in the described scenario.

BZ#750601

The require_selinux option handling in the pam_namespace module was broken. As a consequence, when SELinux was disabled, it was not possible to prevent users from logging in with the pam_namespace module. This option has been fixed and PAM works as expected now.

BZ#811168

The pam_get_authtok_verify() function did not save the PAM_AUTHTOK_TYPE PAM item properly. Consequently, the authentication token type, as specified with the authtok_type option of the pam_cracklib module, was not respected in the “Retype new password” message. The pam_get_authtok_verify() function has been fixed to properly save the PAM_AUTHTOK_TYPE item and PAM now works correctly in this case.

BZ#815516

When the remember option was used, the pam_unix module was matching usernames incorrectly while searching for the old password entries in the /etc/security/opasswd file. Due to this bug, the old password entries could be mixed; the users whose usernames were a substring of another username could have the old passwords entries of another user. With this update, the algorithm that is used to match usernames has been fixed. Now only the exact same usernames are matched and the old password entries are no longer mixed in the described scenario.

BZ#825270

Prior to this update, using the pam_pwhistory module caused an error to occur when the root user was changing user's password. It was not possible to choose any password that was in user's password history as the new password. With this update, the root user can change the password regardless of whether it is in the user's history or not.

Enhancements

BZ#588893

Certain authentication policies require enforcement of password complexity restrictions even for root accounts. Thus, the pam_cracklib module now supports the enforce_for_root option, which enforces the complexity restrictions on new passwords even for the root account.

BZ#673398

The GECOS field is used to store additional information about the user, such as the user's full name or a phone number, which could be used by an attacker for an attempt to crack the password. The pam_cracklib module now also allows to specify the maximum allowed number of consecutive characters of the same class (lowercase, uppercase, number, and special characters) in a password.

BZ#681694

Certain authentication policies do not allow passwords which contain long continuous sequences such as “abcd” or “98765”. This update introduces the possibility to limit the maximum length of these sequences by using the new maxsequence option.

BZ#732050

Certain authentication policies require support for locking of an account that is not used for a certain period of time. This enhancement introduces an additional function to the pam_lastlog module, which allows users to lock accounts after a configurable number of days.

BZ#769694

On a system with multiple tmpfs mounts, it is necessary to limit their size to prevent them from occupying all of the system memory. This update allows to specify the maximum size and some other options of the tmpfs file system mount when using the tmpfs polyinstantiation method.