FS#69715 : [shadow] Redundant PAM config files

FS#69715 - [shadow] Redundant PAM config files

Attached to Project: Arch Linux
Opened by lukpod (lukpod) - Saturday, 20 February 2021, 14:40 GMT
Last edited by David Runge (dvzrv) - Monday, 18 September 2023, 14:40 GMT

Task Type	Bug Report
Category	Packages: Core
Status	Closed
Assigned To	Christian Hesse (eworm) David Runge (dvzrv) Giancarlo Razzolini (grazzolini)
Architecture	All
Severity	Very Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

% pacman -Qlq shadow | grep /etc/pam.d/. | awk -F/ '{print "/usr/bin/"$NF}'| sort | xargs ldd |& grep -E ':|pam'
/usr/bin/chage:
/usr/bin/chgpasswd:
/usr/bin/chpasswd:
libpam.so.0 => /usr/lib/libpam.so.0 (0x00007fa01744e000)
/usr/bin/groupadd:
/usr/bin/groupdel:
/usr/bin/groupmems:
libpam.so.0 => /usr/lib/libpam.so.0 (0x00007f6902dc0000)
libpam_misc.so.0 => /usr/lib/libpam_misc.so.0 (0x00007f6902dbb000)
/usr/bin/groupmod:
/usr/bin/newusers:
libpam.so.0 => /usr/lib/libpam.so.0 (0x00007f5e05416000)
/usr/bin/passwd:
libpam.so.0 => /usr/lib/libpam.so.0 (0x00007fb42c695000)
libpam_misc.so.0 => /usr/lib/libpam_misc.so.0 (0x00007fb42c690000)
/usr/bin/shadow:
ldd: /usr/bin/shadow: No such file or directory
/usr/bin/useradd:
/usr/bin/userdel:
/usr/bin/usermod:

% rm /etc/pam.d/{groupadd,groupdel,shadow}
% groupadd -g 12345 xyz
% grep xyz /etc/group
xyz:x:12345:
% groupdel xyz
% grep xyz /etc/group

This task depends upon

Closed by David Runge (dvzrv)
Monday, 18 September 2023, 14:40 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed with 4.14.0-2

Comment by lukpod (lukpod) - Saturday, 20 February 2021, 19:00 GMT

pacman -Qlq shadow |
sed -nr 's%etc/pam.d(/.+)%usr/bin\1%p' |
xargs ldd |& sed -r '/:|pam/!d; s/ \(.+//'

https://pastebin.com/raw/MydwNPiX

pacman -Qlq shadow | sed -nr 's%etc/pam\.d(/.+)%usr/bin\1%p' | while read line
do ldd $line 2>/dev/null | grep -q pam || echo /etc/pam.d/${line##*/}
done

/etc/pam.d/chage
/etc/pam.d/chgpasswd
/etc/pam.d/groupadd
/etc/pam.d/groupdel
/etc/pam.d/groupmod
/etc/pam.d/shadow
/etc/pam.d/useradd
/etc/pam.d/userdel
/etc/pam.d/usermod

https://gitlab.archlinux.org/archlinux/packaging/packages/shadow/-/blob/main/0004-Add-Arch-Linux-defaults-for-etc-pam.d.patch

Comment by Buggy McBugFace (bugbot) - Tuesday, 08 August 2023, 19:11 GMT

This is an automated comment as this bug is open for more then 2 years. Please reply if you still experience this bug otherwise this issue will be closed after 1 month.

Comment by lukpod (lukpod) - Monday, 11 September 2023, 20:40 GMT

Useless files are still shipped.

Comment by David Runge (dvzrv) - Sunday, 17 September 2023, 21:58 GMT

@lukpod: These files have been shipped even before adding the patches (they just extracted all the customizations from the PKGBUILD).

Can you please describe in prose which files you think are redundant and why? Tickets like these are extremely hard to parse as a reader (if there is just some program output without any explanation) and likely the reason why this has not been touched in quite some time.
I for one have hundreds of packages and if a ticket is not explaining (in *words*) what it is about, I will likely just skip over it.

Comment by loqs (loqs) - Monday, 18 September 2023, 00:08 GMT

Comment by lukpod (lukpod) - Monday, 18 September 2023, 02:07 GMT

pacman -Qlq shadow | sed -nr 's%etc/pam\.d(/.+)%usr/bin\1%p' | xargs grep libpam

grep: /usr/bin/chpasswd: binary file matches
grep: /usr/bin/groupmems: binary file matches
grep: /usr/bin/newusers: binary file matches
grep: /usr/bin/passwd: binary file matches
grep: /usr/bin/shadow: No such file or directory

Comment by lukpod (lukpod) - Monday, 18 September 2023, 02:21 GMT

Binaries using PAM:
* chpasswd
* groupmems
* newusers
* passwd

Binaries not using PAM:
* chage
* chgpasswd
* groupadd
* groupdel
* groupmod
* useradd
* userdel
* usermod

Binary not present:
* shadow

Useless files in /etc/pam.d/:
* chage
* chgpasswd
* groupadd
* groupdel
* groupmod
* shadow
* useradd
* userdel
* usermod

Comment by David Runge (dvzrv) - Monday, 18 September 2023, 07:58 GMT

@lukpod: This is not a CLI output contest... /o\
Thanks for listing the files though!

@loqs: I see. Then removing the relevant modifications from the patch is the way forward. Thank you for pointing me to it!

Comment by David Runge (dvzrv) - Monday, 18 September 2023, 10:16 GMT

@loqs: On a somewhat related note, I believe that the entire 0004 patch can then be dropped.
I guess the default upstream PAM files for chpasswd, groupmems, newusers and passwd should be fine, as we are pulling in pambase based files then.
This would also allow us to properly unify setting the default in /etc/pam.d/system-auth.
As you have spent quite some time with the related tickets I'd appreciate your input on these assumptions of mine!

Comment by loqs (loqs) - Monday, 18 September 2023, 11:18 GMT

> On a somewhat related note, I believe that the entire 0004 patch can then be dropped.
I think the only thing left would be not installing /etc/pam.d/{chfn,chsh,login} provided by util-linux.
> I guess the default upstream PAM files for chpasswd, groupmems, newusers and passwd should be fine, as we are pulling in pambase based files then.
groupmems and passwd would be the only PAM files shadow then provides. chpasswd and newusers are built without PAM support.
The only issue I could see is if sudo and alike are allowed by:
auth sufficient pam_rootok.so
> This would also allow us to properly unify setting the default in /etc/pam.d/system-auth.
Yes.

Comment by David Runge (dvzrv) - Monday, 18 September 2023, 12:14 GMT

> I think the only thing left would be not installing /etc/pam.d/{chfn,chsh,login} provided by util-linux.

While rebasing the patches to 4.14.0 I have moved these modifications to one of the earlier patches already.

> chpasswd and newusers are built without PAM support.

They link against libpam.so though: https://github.com/shadow-maint/shadow/issues/810

> The only issue I could see is if sudo and alike are allowed by:
> auth sufficient pam_rootok.so

Could you elaborate on what you mean specifically with this? I guess not that e.g. a user may use `sudo passwd` to set the root password (as that is already possible).

Comment by loqs (loqs) - Monday, 18 September 2023, 12:44 GMT

>> chpasswd and newusers are built without PAM support.

> They link against libpam.so though: https://github.com/shadow-maint/shadow/issues/810

My mistake. I should read the code comments more carefully [1][2]. Without setuid, permissions are enforced by the access to the passwd and shadow files. If PAM support is enabled that check is used in addition. With setuid when PAM support is enabled it replaces the access check to the passwd and shadow files.

[1] https://github.com/shadow-maint/shadow/blob/4.14.0/src/chpasswd.c#L289C1-L292C5
[2] https://github.com/shadow-maint/shadow/blob/4.14.0/src/newusers.c#L764C1-L772C50

Comment by David Runge (dvzrv) - Monday, 18 September 2023, 12:55 GMT

> My mistake. I should read the code comments more carefully [1][2]. Without setuid, permissions are enforced by the access to the passwd and shadow files. If PAM support is enabled that check is used in addition. With setuid when PAM support is enabled it replaces the access check to the passwd and shadow files.

Man, what a mess.... /o\

Okay... so then we might be... fine(?!) without the PAM configs for these two (chpasswd and newusers) I guess.

Comment by loqs (loqs) - Monday, 18 September 2023, 12:57 GMT

> Could you elaborate on what you mean specifically with this? I guess not that e.g. a user may use `sudo passwd` to set the root password (as that is already possible).
$ sudo password someusername
To set the password of another user. Also does passwd still work for a none root user to set their own password?

Comment by loqs (loqs) - Monday, 18 September 2023, 13:01 GMT

> Okay... so then we might be... fine(?!) without the PAM configs for these two (chpasswd and newusers) I guess.
That might cause an issue as with no matching service file. PAM would then fall back to /etc/pam.d/other which denies and logs everything.

Comment by David Runge (dvzrv) - Monday, 18 September 2023, 13:49 GMT

There is now filesystem 2023.09.18-1, pambase 20230918-1 and shadow 4.14.0-1 in [core-testing].

Please give it a thorough test and report back with any problems!

Comment by David Runge (dvzrv) - Monday, 18 September 2023, 13:52 GMT

> $ sudo password someusername
> To set the password of another user. Also does passwd still work for a none root user to set their own password?

Given that passwd is setuid, it should?

> That might cause an issue as with no matching service file. PAM would then fall back to /etc/pam.d/other which denies and logs everything.

Okay, I'll add them manually then and wait for upstream to get back.

Comment by loqs (loqs) - Monday, 18 September 2023, 14:10 GMT

> There is now filesystem 2023.09.18-1, pambase 20230918-1 and shadow 4.14.0-1 in [core-testing].
(1/5) Creating system user accounts...
/usr/lib/sysusers.d/shadow.conf:1: Lines of type 'g' don't take a GECOS field.
(2/5) Reloading system manager configuration...
(3/5) Applying kernel sysctl settings...
(4/5) Creating temporary files...
/usr/lib/tmpfiles.d/shadow.conf:1: Failed to resolve group 'groups': No such process
error: command failed to execute correctly

> Given that passwd is setuid, it should?
It does

Comment by David Runge (dvzrv) - Monday, 18 September 2023, 14:11 GMT

The issue with the groups group should be fixed with 4.14.0-2.
I also added the PAM integration for chpasswd and newusers back.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#69715 - [shadow] Redundant PAM config files

Details

Loading...