oath-toolkit: privilege escalation in pam_oath.so (SUSE Security Team Blog)

The SUSE Security Team Blog has a detailedreport on its discovery of a privilege escalation in theoath-toolkit,which provides libraries and utilities for managing one-time password(OTP) authentication.

Fellow SUSE engineer Fabian Vogt approached our Security Team aboutthe project's PAM module. A couple of years ago, the module gained afeature which allows to place the OTP state file (called usersfile) inthe home directory of the to-be-authenticated user. Fabian noticedthat the PAM module performs unsafe file operations in users' homedirectories. Since PAM stacks typically run as root, this can easilycause security issues.