FS#69715 - [shadow] Redundant PAM config files
Attached to Project:
Arch Linux
Opened by lukpod (lukpod) - Saturday, 20 February 2021, 14:40 GMT
Last edited by David Runge (dvzrv) - Monday, 18 September 2023, 14:40 GMT
Opened by lukpod (lukpod) - Saturday, 20 February 2021, 14:40 GMT
Last edited by David Runge (dvzrv) - Monday, 18 September 2023, 14:40 GMT
|
Details
% pacman -Qlq shadow | grep /etc/pam.d/. | awk -F/ '{print
"/usr/bin/"$NF}'| sort | xargs ldd |& grep -E ':|pam'
/usr/bin/chage: /usr/bin/chgpasswd: /usr/bin/chpasswd: libpam.so.0 => /usr/lib/libpam.so.0 (0x00007fa01744e000) /usr/bin/groupadd: /usr/bin/groupdel: /usr/bin/groupmems: libpam.so.0 => /usr/lib/libpam.so.0 (0x00007f6902dc0000) libpam_misc.so.0 => /usr/lib/libpam_misc.so.0 (0x00007f6902dbb000) /usr/bin/groupmod: /usr/bin/newusers: libpam.so.0 => /usr/lib/libpam.so.0 (0x00007f5e05416000) /usr/bin/passwd: libpam.so.0 => /usr/lib/libpam.so.0 (0x00007fb42c695000) libpam_misc.so.0 => /usr/lib/libpam_misc.so.0 (0x00007fb42c690000) /usr/bin/shadow: ldd: /usr/bin/shadow: No such file or directory /usr/bin/useradd: /usr/bin/userdel: /usr/bin/usermod: % rm /etc/pam.d/{groupadd,groupdel,shadow} % groupadd -g 12345 xyz % grep xyz /etc/group xyz:x:12345: % groupdel xyz % grep xyz /etc/group |
This task depends upon
Closed by David Runge (dvzrv)
Monday, 18 September 2023, 14:40 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed with 4.14.0-2
Monday, 18 September 2023, 14:40 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed with 4.14.0-2
sed -nr 's%etc/pam.d(/.+)%usr/bin\1%p' |
xargs ldd |& sed -r '/:|pam/!d; s/ \(.+//'
https://pastebin.com/raw/MydwNPiX
pacman -Qlq shadow | sed -nr 's%etc/pam\.d(/.+)%usr/bin\1%p' | while read line
do ldd $line 2>/dev/null | grep -q pam || echo /etc/pam.d/${line##*/}
done
/etc/pam.d/chage
/etc/pam.d/chgpasswd
/etc/pam.d/groupadd
/etc/pam.d/groupdel
/etc/pam.d/groupmod
/etc/pam.d/shadow
/etc/pam.d/useradd
/etc/pam.d/userdel
/etc/pam.d/usermod
https://gitlab.archlinux.org/archlinux/packaging/packages/shadow/-/blob/main/0004-Add-Arch-Linux-defaults-for-etc-pam.d.patch
Can you please describe in prose which files you think are redundant and why? Tickets like these are extremely hard to parse as a reader (if there is just some program output without any explanation) and likely the reason why this has not been touched in quite some time.
I for one have hundreds of packages and if a ticket is not explaining (in *words*) what it is about, I will likely just skip over it.
FS#64836shadow builds with --disable-account-tools-setuid which is required for PAM support in chgpasswd [1], chpasswd [2], groupadd [3], groupdel [4], groupmod [5], newusers [6], useradd [7], userdel [8], usermod [9].Without setuid support restricted operations using the listed binaries can only be performed by root so it is not a security issue.
Edit:
The related pam files are installed due to [10]. /etc/pam.d/shadow is created by [11]
[1] https://github.com/shadow-maint/shadow/blob/4.13/src/chpasswd.c#L280
[2] https://github.com/shadow-maint/shadow/blob/4.13/src/chage.c#L22
[3] https://github.com/shadow-maint/shadow/blob/4.13/src/groupadd.c#L20
[4] https://github.com/shadow-maint/shadow/blob/4.13/src/groupdel.c#L18
[5] https://github.com/shadow-maint/shadow/blob/4.13/src/groupmod.c#L20
[6] https://github.com/shadow-maint/shadow/blob/4.13/src/newusers.c#L32
[7] https://github.com/shadow-maint/shadow/blob/4.13/src/useradd.c#L23
[8] https://github.com/shadow-maint/shadow/blob/4.13/src/userdel.c#L22
[9] https://github.com/shadow-maint/shadow/blob/4.13/src/usermod.c#L22
[10] https://gitlab.archlinux.org/archlinux/packaging/packages/shadow/-/blob/26d836264eedd38fdd1c4724171b01946245d8af/0004-Add-Arch-Linux-defaults-for-etc-pam.d.patch#L53
[11] https://gitlab.archlinux.org/archlinux/packaging/packages/shadow/-/blob/26d836264eedd38fdd1c4724171b01946245d8af/0004-Add-Arch-Linux-defaults-for-etc-pam.d.patch#L152
grep: /usr/bin/chpasswd: binary file matches
grep: /usr/bin/groupmems: binary file matches
grep: /usr/bin/newusers: binary file matches
grep: /usr/bin/passwd: binary file matches
grep: /usr/bin/shadow: No such file or directory
* chpasswd
* groupmems
* newusers
* passwd
Binaries not using PAM:
* chage
* chgpasswd
* groupadd
* groupdel
* groupmod
* useradd
* userdel
* usermod
Binary not present:
* shadow
Useless files in /etc/pam.d/:
* chage
* chgpasswd
* groupadd
* groupdel
* groupmod
* shadow
* useradd
* userdel
* usermod
Thanks for listing the files though!
@loqs: I see. Then removing the relevant modifications from the patch is the way forward. Thank you for pointing me to it!
I guess the default upstream PAM files for chpasswd, groupmems, newusers and passwd should be fine, as we are pulling in pambase based files then.
This would also allow us to properly unify setting the default in /etc/pam.d/system-auth.
As you have spent quite some time with the related tickets I'd appreciate your input on these assumptions of mine!
I think the only thing left would be not installing /etc/pam.d/{chfn,chsh,login} provided by util-linux.
> I guess the default upstream PAM files for chpasswd, groupmems, newusers and passwd should be fine, as we are pulling in pambase based files then.
groupmems and passwd would be the only PAM files shadow then provides. chpasswd and newusers are built without PAM support.
The only issue I could see is if sudo and alike are allowed by:
auth sufficient pam_rootok.so
> This would also allow us to properly unify setting the default in /etc/pam.d/system-auth.
Yes.
While rebasing the patches to 4.14.0 I have moved these modifications to one of the earlier patches already.
> chpasswd and newusers are built without PAM support.
They link against libpam.so though: https://github.com/shadow-maint/shadow/issues/810
> The only issue I could see is if sudo and alike are allowed by:
> auth sufficient pam_rootok.so
Could you elaborate on what you mean specifically with this? I guess not that e.g. a user may use `sudo passwd` to set the root password (as that is already possible).
> They link against libpam.so though: https://github.com/shadow-maint/shadow/issues/810
My mistake. I should read the code comments more carefully [1][2]. Without setuid, permissions are enforced by the access to the passwd and shadow files. If PAM support is enabled that check is used in addition. With setuid when PAM support is enabled it replaces the access check to the passwd and shadow files.
[1] https://github.com/shadow-maint/shadow/blob/4.14.0/src/chpasswd.c#L289C1-L292C5
[2] https://github.com/shadow-maint/shadow/blob/4.14.0/src/newusers.c#L764C1-L772C50
Man, what a mess.... /o\
Okay... so then we might be... fine(?!) without the PAM configs for these two (chpasswd and newusers) I guess.
$ sudo password someusername
To set the password of another user. Also does passwd still work for a none root user to set their own password?
That might cause an issue as with no matching service file. PAM would then fall back to /etc/pam.d/other which denies and logs everything.
Please give it a thorough test and report back with any problems!
> To set the password of another user. Also does passwd still work for a none root user to set their own password?
Given that passwd is setuid, it should?
> That might cause an issue as with no matching service file. PAM would then fall back to /etc/pam.d/other which denies and logs everything.
Okay, I'll add them manually then and wait for upstream to get back.
(1/5) Creating system user accounts...
/usr/lib/sysusers.d/shadow.conf:1: Lines of type 'g' don't take a GECOS field.
(2/5) Reloading system manager configuration...
(3/5) Applying kernel sysctl settings...
(4/5) Creating temporary files...
/usr/lib/tmpfiles.d/shadow.conf:1: Failed to resolve group 'groups': No such process
error: command failed to execute correctly
> Given that passwd is setuid, it should?
It does
I also added the PAM integration for chpasswd and newusers back.