此内容没有您所选择的语言版本。
7.171. pam
Updated pam packages that fix two security issues and several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
Pluggable Authentication Modules (PAM) provide a system whereby administrators can set up authentication policies without having to recompile programs to handle authentication.
Security Fixes
- CVE-2011-3148
- A stack-based buffer overflow flaw was found in the way the
pam_env
module parsed users'~/.pam_environment
files. If an application's PAM configuration contained "user_readenv=1" (this is not the default), a local attacker could use this flaw to crash the application or, possibly, escalate their privileges. - CVE-2011-3149
- A denial of service flaw was found in the way the
pam_env
module expanded certain environment variables. If an application's PAM configuration containeduser_readenv=1
(this is not the default), a local attacker could use this flaw to cause the application to enter an infinite loop.
Red Hat would like to thank Kees Cook of the Google ChromeOS Team for reporting the CVE-2011-3148 and CVE-2011-3149 issues.
Bug Fixes
- BZ#680204
- The limit on number of processes was set in the
/etc/limits.d/90-nproc.conf
file to 1024 processes even for the root account. Consequently, root processes confined with SELinux, such as the prelink utility started from thecrond
daemon, failed to start if there were more than 1024 processes running with UID 0 on the system. The limit for root processes has been set to unlimited and the confined processes are no longer blocked in the described scenario. - BZ#750601
- The
require_selinux
option handling in thepam_namespace
module was broken. As a consequence, when SELinux was disabled, it was not possible to prevent users from logging in with thepam_namespace
module. This option has been fixed and PAM works as expected now. - BZ#811168
- The
pam_get_authtok_verify()
function did not save thePAM_AUTHTOK_TYPE PAM
item properly. Consequently, the authentication token type, as specified with theauthtok_type
option of thepam_cracklib
module, was not respected in the “Retype new password” message. Thepam_get_authtok_verify()
function has been fixed to properly save thePAM_AUTHTOK_TYPE
item and PAM now works correctly in this case. - BZ#815516
- When the
remember
option was used, thepam_unix
module was matching usernames incorrectly while searching for the old password entries in the/etc/security/opasswd
file. Due to this bug, the old password entries could be mixed; the users whose usernames were a substring of another username could have the old passwords entries of another user. With this update, the algorithm that is used to match usernames has been fixed. Now only the exact same usernames are matched and the old password entries are no longer mixed in the described scenario. - BZ#825270
- Prior to this update, using the
pam_pwhistory
module caused an error to occur when the root user was changing user's password. It was not possible to choose any password that was in user's password history as the new password. With this update, the root user can change the password regardless of whether it is in the user's history or not.
Enhancements
- BZ#588893
- Certain authentication policies require enforcement of password complexity restrictions even for root accounts. Thus, the
pam_cracklib
module now supports theenforce_for_root
option, which enforces the complexity restrictions on new passwords even for the root account. - BZ#673398
- The GECOS field is used to store additional information about the user, such as the user's full name or a phone number, which could be used by an attacker for an attempt to crack the password. The
pam_cracklib
module now also allows to specify the maximum allowed number of consecutive characters of the same class (lowercase, uppercase, number, and special characters) in a password. - BZ#681694
- Certain authentication policies do not allow passwords which contain long continuous sequences such as “abcd” or “98765”. This update introduces the possibility to limit the maximum length of these sequences by using the new
maxsequence
option. - BZ#732050
- Certain authentication policies require support for locking of an account that is not used for a certain period of time. This enhancement introduces an additional function to the
pam_lastlog
module, which allows users to lock accounts after a configurable number of days. - BZ#769694
- On a system with multiple tmpfs mounts, it is necessary to limit their size to prevent them from occupying all of the system memory. This update allows to specify the maximum size and some other options of the tmpfs file system mount when using the tmpfs polyinstantiation method.
All pam users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements.