[prev in list] [next in list] [prev in thread] [next in thread]
List: centos
Subject: [CentOS] C7 pam_oath.so changes group ownership of system file
From: Tom Yates <madhatter () teaparty ! net>
Date: 2022-06-04 9:44:47
Message-ID: 5863c7ea-3e66-cddb-16af-537a51ca7e3 () teaparty ! net
[Download RAW message or body]
I'm using pam_oath.so to control sudo access. The following line appears
in my /etc/pam.d/sudo:
auth sufficient pam_oath.so usersfile=/etc/users.oath window=5 digits=8
It works well, and has done since time out of mind. I've recently
noticed, however, that having a user authenticate via a HOTP OATH token
not only causes the /etc/users.oath file to be updated (which makes sense,
the stored counter needs to be incremented) but also have its
group-ownership changed to the primary group of the last user who sudoed.
The file has no group read- or writeability, but it still strikes me as
weird, and if the group modes were not -rwx, it might be a vulnerability.
Does anyone else use HOTP OATH via PAM, and see this? Is there a good
reason for it?
[me@dormouse ~]$ ls -la /etc/users.oath
-rw-------. 1 root root 550 Jun 4 10:31 /etc/users.oath
[me@dormouse ~]$ sudo -l
One-time password (OATH) for `me':
[...]
User me may run the following commands on dormouse:
(ALL) ALL
[me@dormouse ~]$ ls -la /etc/users.oath
-rw-------. 1 root me 550 Jun 4 10:33 /etc/users.oath
--
Tom Yates - https://www.teaparty.net
_______________________________________________
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic