search

anthraxx / linux-hardened

Minimal supplement to upstream Kernel Self Protection Project changes. Features already provided by SELinux + Yama and archs other than multiarch arm64 / x86_64 aren't in scope. Only tags have stable history. Shared IRC channel with KSPP: irc.libera.chat #linux-hardening
Other
554 stars 55 forks source link

passwd/unix_chkpwd fails with PAM 1.6.0 and linux-hardened kernel #92

Open hd-gb opened 5 months ago

hd-gb commented 5 months ago

Hi,

I originally created this issue in PAM, see [https://github.com/linux-pam/linux-pam/issues/768](). But they pointed out that this might be possibly caused by the restricted access to unix_chkpwd when using the hardened kernel. So I was hoping that maybe you guys could help me to figure it out. :)

I am using Arch Linux with the latest linux-hardened kernel.

Since pam 1.6.0, I get the following error when running passwd as root:

[root@archlinux ~]# uname -a 
Linux archlinux 6.7.4-hardened1-1-hardened #1 SMP PREEMPT_DYNAMIC Tue, 13 Feb 2024 19:05:48 +0000 x86_64 GNU/Linux
[root@archlinux ~]# pacman -Q | grep -w pam
pam 1.6.0-4
[root@archlinux ~]# passwd
passwd: Authentication failure
passwd: password unchanged

Non-root users are not affected. Downgrading to PAM 1.5.3 solves the issue. Also this does not occur when using the stock linux kernel.

I attached the strace output here for further analysis.

Would be grateful for any help :)

hd-gb commented 3 months ago

Can be closed, see https://gitlab.archlinux.org/archlinux/packaging/packages/linux-hardened/-/issues/5