RHBA-2013:0032 - Bug Fix Advisory

Topic

Updated pam packages that fix three bugs and add various enhancements are now
available for Red Hat Enterprise Linux 5.

Description

Pluggable Authentication Modules (PAM) provide a system to set up authentication
policies without the need to recompile programs to handle authentication.

This update fixes the following bugs:

• Due to an error in the %post script, the /var/log/faillog and

/var/log/tallylog files were truncated on PAM upgrade. Consequently, the user
authentication failure records were lost. The %post script has been fixed, and
the user authentication failure records are now preserved during the pam package
upgrade. (BZ#614765)

• When the "remember" option was used, the pam_unix and pam_cracklib modules

were matching usernames incorrectly while searching for the old password entries
in the /etc/security/opasswd file. Due to this bug, the old password entries
could be mixed; the users whose usernames were a substring of another username
could have the passwords entries of another user. With this update, the string
that is used to match usernames has been fixed. Now only the exact same
usernames are matched and the entries about old passwords are no longer mixed in
the described scenario. (BZ#768087)

• Prior to this update, using the pam_pwhistory module caused an error when

changing user's password. It was not possible to choose any password, that was
in user's password history, as a new password. With this update, root can change
the password regardless of whether it is in the user's history or not.
(BZ#824858)

This update also adds the following enhancements:

• Prior to this update, the pam_listfile module was searching through all group

entries using the getgrent command when looking for group matches. Due to this
implementation, getgrent took too much time on systems using central identity
servers such as LDAP for storing large number of groups. This feature has been
replaced by more efficient implementation, which does not require to look up
through all groups on the system. As a result, pam_listfile is now much faster
in the described scenario. (BZ#551312)

• Previously, the pam_access module did not include the nodefgroup option.

Consequently, it was impossible to differentiate between users and groups using
this module. This enhancement adds backported support for the nodefgroup option
of pam_access. When using this option, the user field of the entries in the
access.conf file is not matched against groups on the system. The group matches
have to be explicitly marked with parentheses "(" and ")". (BZ#675835)

• Prior to this update, when the pam_exec module ran an external command, the

environment variables such as PAM_USER or PAM_HOST were not exported. This
enhancement adds support for exporting environment variables, including those
which contains common PAM item values from the PAM environment to the script
that is executed by the pam_exec module. (BZ#554518)

• This update improved the pam_cracklib module, which is used to check

properties of a new password entered by the user and reject it if it does not
meet the specified limits. The pam_cracklib module now allows to check whether a
new password contains the words from the GECOS field entries in the
"/etc/passwd" file. It also allows to specify the maximum allowed number of
consecutive characters of the same class (lowercase, uppercase, number, and
special characters) in a password. (BZ#809247)

All pam users are advised to upgrade to these updated packages, which fix these
bugs and adds these enhancements.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 551312 - [RFE] pam_listfile calls getgrent(), apply patch to call pam_modutil_user_in_group_nam_nam()
• BZ - 554518 - pam_exec doesn't export environment variables
• BZ - 614765 - PAM truncates /var/log/faillog on upgrade
• BZ - 768087 - pam remember can check wrong username if it is a substring of another username

CVEs

(none)

References

(none)