[Pkg-xfce-devel] Bug#842202: lightdm combined with pam_ldap and mixed case usernames results in broken group enumeration, etc.
Brian Kroth
bpkroth at gmail.com
Wed Oct 26 20:51:58 UTC 2016
Package: lightdm
Version: 1.10.3-3
Severity: normal
Dear Maintainer,
We have an environment that uses pam_ldap to authenticate most of our
users.
Due to some nuances of the core (open)LDAP schema, the uid attribute
will return success on "equality" matches even if the requested query
includes spaces or mixed case. See Also:
http://www.openldap.org/lists/openldap-software/200204/msg00337.html
So, if you attempt to login as " Bkroth" instead of "bkroth", the LDAP
server will respond successfully.
Unfortunately, pam_ldap (probably reasonably) just takes that to mean
that the provided username is valid and passes it through (it did ask
for an equality match after all). A better thing to do at that stage
would probably be to hand back the value in the uid attribute that the
LDAP server responded with, but I'll leave that for a separate pam_ldap
bug report. Somewhat related:
https://forums.opensuse.org/showthread.php/445925-pam_ldap-username-case-sensitivity-on-OpenSuSE-11-2
The trouble is that lightdm, takes the user provided value and
1) assigns it to the USER and LOGNAME environment variables, and
2) uses it to try and initgroups(), which then fails (group memberships
in LDAP are usually done with fully qualified DNs which don't do the
loose equality matching described above).
The combination of incorrect USER environment variables and missing
supplementary groups causes lots of other problems.
Note that programs like su, login, ssh, etc. don't exhibit this behavior
since they turn around and perform a lookup of the "true" username
against the NSS database again when populating the environment
variables. Here's a few examples:
https://github.com/shadow-maint/shadow/blob/master/src/su.c#L928
https://github.com/openssh/openssh-portable/blob/V_6_7/session.c#L1179
The attached patch essentially just adjusts lightdm's behavior to
perform the same sort of NSS lookup to get the true username.
I also have a dumbed down sample test program to illustrate the issue
outside of lightdm in case it helps.
Let me know if you have any questions or comments.
Thanks,
Brian
-- System Information:
Debian Release: 8.6
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
Versions of packages lightdm depends on:
ii adduser 3.113+nmu3
ii dbus 1.8.20-0+deb8u1
ii debconf [debconf-2.0] 1.5.56
ii libc6 2.19-18+deb8u6
ii libgcrypt20 1.6.3-2+deb8u2
ii libglib2.0-0 2.42.1-1+b1
ii libpam-systemd 215-17+deb8u5
ii libpam0g 1.1.8-3.1+deb8u1+b1
ii libxcb1 1.10-3+b1
ii libxdmcp6 1:1.1.1-1+b1
ii lightdm-gtk-greeter [lightdm-greeter] 1.8.5-2
Versions of packages lightdm recommends:
ii xserver-xorg 1:7.7+7
Versions of packages lightdm suggests:
ii accountsservice 0.6.37-3+b1
ii upower 0.99.1-3.2
-- Configuration Files:
/etc/lightdm/lightdm.conf changed [not included]
-- debconf information excluded
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lightdm-1.10.3_normalize-username.patch
Type: text/x-diff
Size: 4298 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-xfce-devel/attachments/20161026/de7ad515/attachment.patch>
More information about the Pkg-xfce-devel
mailing list