LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-12-2019, 08:09 AM   #1
l0f4r0
Member
 
Registered: Jul 2018
Location: Paris
Distribution: Debian
Posts: 852

Rep: Reputation: 286Reputation: 286Reputation: 286
Question PAM & SUID bit on /usr/bin/passwd ("Authentication Token Manipulation Error")


I've started playing a little bit with PAM on my Debian 9 server (kernel 4.9.0-9-amd64), especially with libpam-cracklib in order to enforce a better account password policy.
So in my /etc/pam.d/common-password, I've added the following:
Code:
password requisite pam_cracklib.so retry=3 difok=3 dcredit=-1 lcredit=-1 minlen=12 ocredit=-1 reject_username ucredit=-1
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 remember=400
password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass
I didn't need to create file /etc/security/opasswd as it was already present (probably created during libpam-cracklib installation), with the appropriate permissions:
Code:
-rw------- 1 root root 0 jul 12 12:50 /etc/security/opasswd
However, users are not able to change their password anymore via passwd (prompt says: "Authentication Token Manipulation Error"). It worked before...
NB: it still works via root

I've tried to delete the remember=400 part with no avail, even after reboot.

After investigation, I've noticed that the SUID bit on /usr/bin/passwd has disappeared:
Code:
-rwxr-xr-x 1 root root 59680 may 17 2017 /usr/bin/passwd
So I've just set it up again with chmod u+s /usr/bin/passwd and guess what, no problem anymore!

Question: do you have an idea why the SUID bit disappeared on /usr/bin/passwd?
Thank you in advance

Last edited by l0f4r0; 07-14-2019 at 04:07 PM. Reason: Following ehartman's comment
 
Old 07-13-2019, 01:02 AM   #2
ehartman
Member
 
Registered: Jul 2007
Location: Delft, The Netherlands
Distribution: Slackware
Posts: 899

Rep: Reputation: 470Reputation: 470Reputation: 470Reputation: 470Reputation: 470
Quote:
Originally Posted by l0f4r0 View Post
So I've just set it up again with chmod u+s /usr/bin/passwd and guess what, no problem anymore!

Question: do you have an idea why the sticky bit disappeared on /usr/bin/passwd?
Thank you in advance
I haven't got an answer to your question, just a remark:

u+s is setting the setuid (set user id) bit, just like g+s is setgid (set group id).
The "sticky" bit is set with +t, and isn't used much anymore (it meant that the code of the executable should "stick" in RAM after exit as it was likely to be needed very soon again).
They are the three special bits and mostly get cleared on all "chmod" operations on the file, unless you explicity specify them IN that chmod again.
 
1 members found this post helpful.
Old 07-14-2019, 04:06 PM   #3
l0f4r0
Member
 
Registered: Jul 2018
Location: Paris
Distribution: Debian
Posts: 852

Original Poster
Rep: Reputation: 286Reputation: 286Reputation: 286
Quote:
Originally Posted by ehartman View Post
u+s is setting the setuid (set user id) bit, just like g+s is setgid (set group id).
The "sticky" bit is set with +t, and isn't used much anymore (it meant that the code of the executable should "stick" in RAM after exit as it was likely to be needed very soon again).
Oups...you're completely right!!
Of course, I meant the SUID (s/S or 4000 in octal), not the sticky bit (t/T or 1000 in octal). I've just edited my OP, thank you very much ehartman

NB: it's true, the sticky bit applied to a file is not very used anymore as computers are always more powerful. However the sticky bit on a directory is much more common. It allows you to restrict the "write" permissions on it so only the owner can delete his/her files/folders inside a directory where the sticky bit is applied even if everyone has permission "w". See the /tmp folder.
 
Old 07-14-2019, 05:46 PM   #4
ehartman
Member
 
Registered: Jul 2007
Location: Delft, The Netherlands
Distribution: Slackware
Posts: 899

Rep: Reputation: 470Reputation: 470Reputation: 470Reputation: 470Reputation: 470
Quote:
Originally Posted by l0f4r0 View Post
NB: it's true, the sticky bit applied to a file is not very used anymore as computers are always more powerful. However the sticky bit on a directory is much more common.
I know, but here we were talking about an executable (normal file with x-bits).
The caching in (much larger) RAM in modern machines does all of what the t bit for executables was meant to do. And the offloading of functionality into (resident) shared libraries (objects) also did its part.
The sticky (that's what its name came from) bit was invented to stick important executables into the (low amount of) RAM at that time.

As it was only useful for executables, people have invented other uses for it later, like that usage for directories.
But in HP-UX I've also seen usage for the t-bit for symbolic links (it's called a "transition link")
Quote:
sticky bit on symlinks
======================
In HP-UX 10.0 and later, a symbolic link that has its sticky bit set is called a transition link (i.e. links to ease the transition to the new SVR4 filesystem layout). Transition links are a bit faster, because the linked-to filename is stored in the inode itself, instead of using an allocation unit to store the link.
and there are probably other uses I'm not aware of.
 
1 members found this post helpful.
  


Reply

Tags
pam, password, security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
passwd: Authentication token manipulation error using PAM RHEL mcskyguy Linux - Server 5 07-08-2015 09:51 AM
"passwd: Authentication token manipulation error" Neowulf Linux - Newbie 8 03-05-2014 04:01 PM
Error: Cannot find 'ssh-keygen' in '/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin' venu.navat Linux - Software 3 03-08-2012 04:00 AM
echo $PATH = /home/g3rc4n/bin:/usr/local/bin:/usr/bin:/bin:/usr/games ? i_heart_pandas Linux - Software 7 09-18-2009 08:33 AM
passwd: Authentication token manipulation error jwholey Linux - Enterprise 4 05-10-2006 01:41 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:42 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration