Improper Authorization in clusterlabs/pcs
Mar 7th 2022
Pacemakers daemon pcsd allows authentication via PAMs
pam_authenticate. Unfortunately the authorization via
pam_acct_mgmt has been omitted. Therefore unprivileged expired accounts that have been denied access can still login.
Proof of Concept
You can expire an account with
chage -E0 <username>
Since disabling an account in PAM still allows to login via ssh-keys, it's common to set accounts to expire if you want to deny access. So accounts who technically don't have any privilege are still allowed to login here. This also counts for accounts with expired passwords. A fix is supplied in the report.