C7 pam_oath.so changes group ownership of system file

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



I'm using pam_oath.so to control sudo access. The following line appears in my /etc/pam.d/sudo:

auth       sufficient   pam_oath.so usersfile=/etc/users.oath window=5 digits=8

It works well, and has done since time out of mind. I've recently noticed, however, that having a user authenticate via a HOTP OATH token not only causes the /etc/users.oath file to be updated (which makes sense, the stored counter needs to be incremented) but also have its group-ownership changed to the primary group of the last user who sudoed.

The file has no group read- or writeability, but it still strikes me as weird, and if the group modes were not -rwx, it might be a vulnerability. Does anyone else use HOTP OATH via PAM, and see this? Is there a good reason for it?


[me@dormouse ~]$ ls -la /etc/users.oath
-rw-------. 1 root root 550 Jun  4 10:31 /etc/users.oath
[me@dormouse ~]$ sudo -l
One-time password (OATH) for `me':
[...]
User me may run the following commands on dormouse:
    (ALL) ALL
[me@dormouse ~]$ ls -la /etc/users.oath
-rw-------. 1 root me 550 Jun  4 10:33 /etc/users.oath



--

      Tom Yates  -  https://www.teaparty.net
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux