Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[question]Is it safe for authfile to be readable by everyone? #131

Closed
Maryse47 opened this issue Nov 29, 2019 · 3 comments
Closed

[question]Is it safe for authfile to be readable by everyone? #131

Maryse47 opened this issue Nov 29, 2019 · 3 comments

Comments

@Maryse47
Copy link

Is it safe for authfile being readable by everyone? Is there anything attacker can gain by reading authfile? Is it worth to restrict authfile readability similar to /etc/shadow?
@a-dma
Copy link
Member

a-dma commented Nov 29, 2019

The Principle of Least Privilege applies in this case. There are now "game over" kind of information in that file, but it all boils down to what your threat model is. For example the user login name would be in the file.

Depending on what options you set and how you're using the module (which user is PAM running as), you may have different requirements. My suggestion is to give to the file the most restrictive set of permissions that you can get away with.

@Maryse47
Copy link
Author

Maryse47 commented Nov 29, 2019
edited
Loading

I don't consider user login name as sensitive, it's freely available in /etc/passwd anyway. I'm concerned with u2f credentials (keys) stored in authfile. What would be the worst scenario if they're leaked?

The problem with restricting read access to authfile is mostly related to screen lockers. They usually run as unprivileged process and they need to read the authfile. It's possible to set screenlock binary as setuid or grant them cap_read_search which will allow reading authfile even when it's restricted to root but granting such privileges is potential security hole on its own. Therefore if stealing u2f credentials from authfile won't allow doing anything malicious then I would prefer making authfile readable on my system. Just want to know what consequences of doing this may occur.

This is also relevant for yubico-pam although the dilemma is even worse there because they need also write access.

@a-dma
Copy link
Member

a-dma commented Dec 2, 2019

Keep in mind that you can have the authfile inside the user home directory where it is safer to grant read access to the user.

Generally speaking the information within that file will allow to "register" a user, but for that to happen write access to the authfile is required.
Also, by knowing the keyhandle it is possible to check whether a specific device is registered for that specific host/RP.

@Maryse47 Maryse47 closed this as completed Dec 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@a-dma @Maryse47