From 9db67ef6e39ac51d426dee91da3b9305670241e6 Mon Sep 17 00:00:00 2001 From: Nicolas Iooss <nicolas.iooss@m4x.org> Date: Tue, 18 Apr 2017 23:10:58 +0200 Subject: [PATCH] pam: Destroy the password in pam_sm_open_session gnome-keyring PAM module saves the password of the user in a blob associated with a PAM handle, using pam_set_data (ph, "gkr_system_authtok"...) in stash_password_for_session. This data is kept in the process memory once the PAM session is opened, which allows root user to read it, for example using gcore. This password leakage has recently been instrumented with tools such as mimipenguin (https://github.com/huntergregal/mimipenguin and https://github.com/n1nj4sec/mimipy). Fix this leak by destroying the data blob which hold the password once it has been used in pam_sm_open_session. https://bugzilla.gnome.org/show_bug.cgi?id=781486 --- pam/gkr-pam-module.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pam/gkr-pam-module.c b/pam/gkr-pam-module.c index 349aded3..fa814b23 100644 --- a/pam/gkr-pam-module.c +++ b/pam/gkr-pam-module.c @@ -894,6 +894,12 @@ pam_sm_open_session (pam_handle_t *ph, int flags, int argc, const char **argv) ret = start_daemon (ph, pwd, true, password); } + /* Destroy the stored authtok once it has been used */ + if (password && pam_set_data (ph, "gkr_system_authtok", NULL, NULL) != PAM_SUCCESS) { + syslog (GKR_LOG_ERR, "gkr-pam: error destroying the password"); + return PAM_SERVICE_ERR; + } + return PAM_SUCCESS; } -- 2.21.0