PamAuthorization.qhelp

<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
<qhelp>
  <overview>
    <p>
      Using only a call to
      <code>pam_authenticate</code>
      to check the validity of a login can lead to authorization bypass vulnerabilities.
    </p>
    <p>
      A
      <code>pam_authenticate</code>
      only verifies the credentials of a user. It does not check if a user has an
      appropriate authorization to actually login. This means a user with an expired
      login or a password can still access the system.
    </p>

  </overview>

  <recommendation>
    <p>
      A call to
      <code>pam_authenticate</code>
      should be followed by a call to
      <code>pam_acct_mgmt</code>
      to check if a user is allowed to login.
    </p>
  </recommendation>

  <example>
    <p>
      In the following example, the code only checks the credentials of a user. Hence,
      in this case, a user with expired credentials can still login. This can be
      verified by creating a new user account, expiring it with
      <code>chage -E0 `username` </code>
      and then trying to log in.
    </p>
    <sample src="PamAuthorizationBad.py" />

    <p>
      This can be avoided by calling
      <code>pam_acct_mgmt</code>
      call to verify access as has been done in the snippet shown below.
    </p>
    <sample src="PamAuthorizationGood.py" />
  </example>

  <references>
    <li>
      Man-Page:
      <a href="https://man7.org/linux/man-pages/man3/pam_acct_mgmt.3.html">pam_acct_mgmt</a>
    </li>
  </references>
</qhelp>