FS#69933 - [shadow] Use upstream login.defs

Attached to Project: Arch Linux
Opened by lukpod (lukpod) - Wednesday, 10 March 2021, 16:30 GMT
Last edited by David Runge (dvzrv) - Thursday, 05 January 2023, 10:37 GMT
Task Type General Gripe
Category Packages: Core
Status Closed
Assigned To David Runge (dvzrv)
Giancarlo Razzolini (grazzolini)
Architecture All
Severity Very Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No

Details

The upstream provides login.defs in the tarball and it is more thorough.

https://github.com/shadow-maint/shadow/blob/master/etc/login.defs
This task depends upon

Closed by  David Runge (dvzrv)
Thursday, 05 January 2023, 10:37 GMT
Reason for closing:  Fixed
Additional comments about closing:  Fixed with 4.12.3-2
Comment by lukpod (lukpod) - Wednesday, 10 March 2021, 18:21 GMT
The upstream file is more thorough and more up to date. Some settings may have to be adjusted by the downstream but I think it's better to use the configuration file provided by the upstream; it should be more correct.
Comment by Giancarlo Razzolini (grazzolini) - Wednesday, 10 March 2021, 18:51 GMT
I'm going to check, on the next shadow release, if we can apply upstream login.defs. If so, I'll update ours. But I know there's a reason for the changes we make downstream.
Comment by loqs (loqs) - Wednesday, 10 March 2021, 18:55 GMT
Compared to the current login.defs:
Dropped:
ENCRYPT_METHOD SHA512
Added:
CHFN_AUTH yes
CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict
ENV_HZ HZ=100
ENVIRON_FILE /etc/environment
FAILLOG_ENAB yes
FTMP_FILE /var/log/btmp
LASTLOG_ENAB yes
MAIL_CHECK_ENAB yes
NOLOGINS_FILE /etc/nologin
NONEXISTENT /nonexistent
OBSCURE_CHECKS_ENAB yes
PASS_ALWAYS_WARN yes
PASS_CHANGE_TRIES 5
PASS_MIN_LEN 5
PORTTIME_CHECKS_ENAB yes
QUOTAS_ENAB yes
SUB_GID_COUNT 65536
SUB_GID_MAX 600100000
SUB_GID_MIN 100000
SUB_UID_COUNT 65536
SUB_UID_MAX 600100000
SUB_UID_MIN 100000
SU_WHEEL_ONLY no
Changed:
ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin -> PATH=/bin:/usr/bin
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin -> PATH=/sbin:/bin:/usr/sbin:/usr/bin
MOTD_FILE -> /etc/motd
SYS_GID_MIN 500 -> SYS_GID_MIN 101
SYS_UID_MIN 500 -> SYS_UID_MIN 101
UMASK 077 -> UMASK 022
Comment by lukpod (lukpod) - Wednesday, 10 March 2021, 19:12 GMT
I think it's easier to patch the upstream config file instead of maintaining a separate one.
Comment by Giancarlo Razzolini (grazzolini) - Wednesday, 10 March 2021, 19:24 GMT
I'm going to have to do some testing before I actually start merging stuff.
Comment by lukpod (lukpod) - Thursday, 11 March 2021, 00:11 GMT
pwck -r and grpck -r output

configuration error - unknown item 'NONEXISTENT' (notify administrator)
configuration error - unknown item 'GRANT_AUX_GROUP_SUBIDS' (notify administrator)

I hadn't uncommented all the items so there may be more unknown ones.
Comment by loqs (loqs) - Sunday, 06 June 2021, 07:59 GMT
login.defs-arch-patch patches the upstream default with the following changes:

Commented out with comment setting is unsupported [1]:
CHFN_AUTH
CRACKLIB_DICTPATH
ENV_HZ HZ
ENV_TZ
ENVIRON_FILE
FAILLOG_ENAB
FTMP_FILE
ISSUE_FILE
LASTLOG_ENAB
LOGIN_STRING
MAIL_CHECK_ENAB
MOTD_FILE
NOLOGINS_FILE
OBSCURE_CHECKS_ENAB
PASS_ALWAYS_WARN
PASS_CHANGE_TRIES
PASS_MAX_LEN
PASS_MIN_LEN
PORTTIME_CHECKS_ENAB
QUOTAS_ENAB
SU_WHEEL_ONLY
ULIMIT

Restored to Arch's current setting:
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
SYS_GID_MIN 500
SYS_UID_MIN 500

Added back:
ENCRYPT_METHOD SHA512

Supporting  FS#66068 
UMASK 022
HOME_MODE 0700

[1] https://github.com/shadow-maint/shadow/commit/71c6165dcd6b808fc1bf11e0dfb3692beb06221c
Comment by loqs (loqs) - Monday, 07 June 2021, 22:24 GMT
Remove options incompatible with pam from login.defs and man 8 login.defs. Needed two patches from upstream as the tarball does not match git release tag and could not build man pages locally.
As in previous comment but with introductory comment from marekm added back to start of login.defs

TBD:
CONSOLE looks as though it is not used with pam enabled.
Is the introductory text still accurate?
SYS_GID_MIN / SYS_UID_MIN using the upstream value of 101 should not be an issue for any official package but would be AUR PKGBUILDs still using useradd -r.
ENV_SUPATH PATH / ENV_PATH PATH using the upstream values would remove /usr/local/bin.
ENCRYPT_METHOD SHA512 see  FS#67393 
UMASK / HOME_MODE see  FS#66068 
Comment by marc boocha (marcthe12) - Tuesday, 08 June 2021, 03:29 GMT
CONSOLE seems to do the same thing as pam_securetty.so which is well to be removed see  FS#45903 .
Just check if there is any there other use case, if not we can null it.
Comment by loqs (loqs) - Tuesday, 08 June 2021, 04:25 GMT
All uses I have found are guarded either directly or indirectly by:
#ifndef USE_PAM
https://github.com/shadow-maint/shadow/blob/4.8.1/lib/getdef.c#L84 entry for option CONSOLE_GROUPS, CONSOLE entry is on the line below.
https://github.com/shadow-maint/shadow/blob/4.8.1/libmisc/console.c the console related functions is_listed and console are defined here. Line 132 is the only use of the option CONSOLE.
https://github.com/shadow-maint/shadow/blob/4.8.1/lib/prototypes.h#L352 one guarded use declaring function setup_uid_gid with parameter console plus one unguarded use declaring function console defined above.
https://github.com/shadow-maint/shadow/blob/4.8.1/libmisc/setugid.c#L123 defines function setup_uid_gid with parameter console declared above plus one related use in the same file both guarded.
https://github.com/shadow-maint/shadow/blob/4.8.1/libmisc/setugid.c#L134 only use of CONSOLE_GROUPS and is guarded in the same block as above.
https://github.com/shadow-maint/shadow/blob/4.8.1/src/login.c#L613 uses function console plus three related uses in the same file all guarded.
https://github.com/shadow-maint/shadow/blob/4.8.1/src/su.c#L713 uses function console plus two related uses in the same file all guarded.

Really needs someone else to cross check the above.
Edit:
As login,su,chsh,chfn,sg,nologin,vipw,vigr are provided by util-linux that needs to be checked as well.
So far MOTD_FILE is supported and a new option LOGIN_PLAIN_PROMPT that shadow does not support.
List of login.defs options util-linux supports I have found so far:
ALWAYS_SET_PATH
CHFN_RESTRICT
DEFAULT_HOME
ENV_PATH
ENV_ROOTPATH
ENV_SUPATH
FAIL_DELAY
HUSHLOGIN_FILE
LASTLOG_UID_MAX
LOGIN_KEEP_USERNAME
LOGIN_PLAIN_PROMPT
LOGIN_RETRIES
LOGIN_TIMEOUT
LOG_UNKFAIL_ENAB
MOTD_FILE
MOTD_FIRSTONLY
SYS_UID_MAX
SYS_UID_MIN
UID_MAX
UID_MIN
TTYGROUP
TTYPERM
Comment by loqs (loqs) - Tuesday, 08 June 2021, 20:35 GMT
Removed hopefully all the remaining options that are not used due to the use of util-linux.
Added back MOTD_FILE. This is set to an empty string in login.defs-arch.patch otherwise it will be displayed first by pam_motd then secondly by login.
The related comment needs adjustment to document this.
Edit:
Compared to the old login.defs:
Removed:
LOG_OK_LOGINS
SYSLOG_SU_ENAB
CONSOLE
SU_LOGFILE
TTYTYPE_FILE
SU_NAME
ERASECHAR
KILLCHAR
CONSOLE_GROUPS
Comment by loqs (loqs) - Tuesday, 29 June 2021, 15:37 GMT
Added shadow-4.8-ignore-login-prompt.patch from Fedora, Do not complain about LOGIN_PLAIN_PROMPT option that is used by login from util-linux.
Added 5cd04d03f94622c12220d4a6352824af081b8531.patch from upstream supporting yescrypt.
Added FS71393.patch supporting  FS#71393  change default encryption method to yescrypt.
Comment by loqs (loqs) - Thursday, 19 August 2021, 14:30 GMT
Updated for 4.9. The options that are unsupported are now listed in the PKGBUILD along with a short reason for each.
Fedora includes all the options in the current list plus MOTD_FILE and SHA_CRYPT_MIN_ROUNDS which I believe are supported.
Comment by Marcos Mello (marcosfrm) - Sunday, 22 August 2021, 19:33 GMT
login from util-linux 2.36+ added support for directories in MOTD_FILE. Perhaps leave it commented in login.defs to use login's built-in default "/usr/share/misc/motd:/run/motd:/run/motd.d:/etc/motd:/etc/motd.d"?

https://github.com/karelzak/util-linux/commit/5a528e2c6ff9735266fc2607c359e925b074bf2c

And I should ask for a /etc/motd.d directory in filesystem in this case,  FS#71797 

Edit:
Hmmm, motd is printed by pam_motd, right? Can we drop it from pambase and rely on util-linux's login?

Edit2:
https://github.com/karelzak/util-linux/commit/72b155ea6e25730d7c01d345cc2df269c2c47635
...what a mess.

Edit3:
Since pam_motd supports directories too (https://github.com/linux-pam/linux-pam/blob/v1.5.1/modules/pam_motd/pam_motd.c#L28) an option is keep current login.defs configuration (empty MOTD_FILE to silence util-linux's login) and drop pam_motd's "motd=/etc/motd" option from system-login (OR add motd_dir=/etc/motd.d to restrict it to /etc).
Comment by loqs (loqs) - Tuesday, 12 October 2021, 21:10 GMT
Updated PKGBUILD.diff to add three upstream fixes for coredump producing bugs and to remove the PREVENT_NO_AUTH option added in 4.9 which is not supported by login or su from util-linux.

@marcosfrm I would suggest opening a feature request against pambase to amend the options passed to pam_motd.so in either of the ways you suggested.
Comment by loqs (loqs) - Monday, 03 January 2022, 22:04 GMT
Rebased PKGBUILD.diff on upstream 4.11.1. Missing trust path to signing key used for 4.10, 4.11 and 4.11.1.
Comment by loqs (loqs) - Friday, 28 January 2022, 00:11 GMT
Rebased on shadow 4.11.1-1.
Comment by loqs (loqs) - Sunday, 16 October 2022, 17:52 GMT
Updated diff for dvzrv
Comment by David Runge (dvzrv) - Sunday, 16 October 2022, 19:09 GMT
@loqs: Thanks! Much appreciated. I saw that the list of unsupported options was missing from the previous patch.

I have first opted for just plain commenting the options, as I have added a few other fixes in trunk and would like to make sure they work as intended before proceeding with anything further.

If you could have a quick look, that'd be much appreciated, then I'll do a pkgrel bump.
Comment by loqs (loqs) - Sunday, 16 October 2022, 19:35 GMT
PASS_MIN_LEN not supported when pam is enabled
PREVENT_NO_AUTH not supported by login or su from util-linux not listed in Fedora's login.defs and the only users I found in upstream shadow-maint are login and su.
SYSLOG_SU_ENAB not supported when pam is enabled
Comment by David Runge (dvzrv) - Sunday, 16 October 2022, 19:47 GMT
Thanks! I've adapted the patch and will do a pkgrel bump.
If testing goes fine we can go further from there.
Comment by loqs (loqs) - Tuesday, 18 October 2022, 11:09 GMT
Updated patch so unsupported variables are marked # VARIABLE is not currently supported
Also noted console was missing from unsupported. Can also be applied to 4.12.3.
Comment by David Runge (dvzrv) - Tuesday, 18 October 2022, 11:18 GMT
Nice, thank you! We'll try to do the sub{g,u}id change first, so that we can close some tickets.
Comment by lukpod (lukpod) - Tuesday, 18 October 2022, 14:05 GMT
I think it's better to remove the unsupported variables for less clutter and better readability. Users editing the config file shouldn't be bothered by unsupported options. All the variables are documented in the login.defs(5) man page.
Comment by marc boocha (marcthe12) - Tuesday, 18 October 2022, 16:38 GMT
Agree with lukpod. Even If you want to keep it, its best to move to end of the file. If I want to edit the file, I should not be concerned by unsupported options at all.
Comment by David Runge (dvzrv) - Tuesday, 18 October 2022, 16:42 GMT
Yep, we can do that before updating to a newer shadow version.
I would like to get some interoperability tickets with fileystem and shadow out of the way first.
Comment by loqs (loqs) - Tuesday, 18 October 2022, 18:44 GMT
With shadow 4.11.1-2 UMASK is changed to 022 from 077 but HOME_MODE is left commented so the value of UMASK is used when creating home directories so new users home directories have group and other read plus execute.
Could the UMASK be changed back or HOME_MODE uncommented? See also  FS#66068 
Comment by David Runge (dvzrv) - Tuesday, 18 October 2022, 18:58 GMT
Argh, my bad. That is an oversight. Will change back to 077 so we don't mix this change with the one in  FS#66068 
Comment by David Runge (dvzrv) - Tuesday, 18 October 2022, 19:32 GMT
@loqs: Thanks again for double-checking. The patch in 4.11.1-3 should now be correct again and it also (for now) sets the unsupported options to unsupported.
Comment by nl6720 (nl6720) - Wednesday, 19 October 2022, 09:51 GMT
The ENCRYPT_METHOD value has no effect on passwd and others while the sha512 option is passed to pam_unix.so in /etc/pam.d/ files.

$ grep -Fr sha512 /etc/pam.d
/etc/pam.d/chpasswd:password required pam_unix.so sha512 shadow
/etc/pam.d/newusers:password required pam_unix.so sha512 shadow
/etc/pam.d/passwd:#password required pam_unix.so sha512 shadow use_authtok
/etc/pam.d/passwd:password required pam_unix.so sha512 shadow nullok
/etc/pam.d/system-auth:password required pam_unix.so try_first_pass nullok shadow sha512

$ grep -Frl sha512 /etc/pam.d | pacman -Qo -
/etc/pam.d/chpasswd is owned by shadow 4.11.1-3
/etc/pam.d/newusers is owned by shadow 4.11.1-3
/etc/pam.d/passwd is owned by shadow 4.11.1-3
/etc/pam.d/system-auth is owned by pambase 20211210-1

Edit: this is the  FS#67393  issue.
Comment by David Runge (dvzrv) - Thursday, 20 October 2022, 10:17 GMT
@loqs: FWIW, I think it would indeed make a lot of sense just removing the unsupported options in /etc/login.defs and the accompanying man page.
Comment by David Runge (dvzrv) - Monday, 31 October 2022, 11:38 GMT
I have created a mirror of shadow in our gitlab which is a more easy way of rebasing and applying the required patches in the future:
https://gitlab.archlinux.org/dvzrv/shadow/-/commits/v4.11.1.arch1

I will use this for packaging purposes from now on (after it has moved to a distribution/group location), as it also gives us the opportunity to more easily modify the files that we are currently replacing (less manual overhead in the PKGBUILD).
Comment by loqs (loqs) - Monday, 31 October 2022, 23:39 GMT
https://gitlab.archlinux.org/dvzrv/shadow/-/commit/e1c372913cf4145bdee961ed6d79d21e0c1ccf54 is not needed since https://gitlab.archlinux.org/dvzrv/shadow/-/commit/3f09f7b6fb13cc5dfbb1102929e84dd75bdc438f was merged.

shadow-man-page-updates tags one section upstream appears to have missed which is not used when pam is enabled. Tags as no_foreign sections not used due to util-linux.
Needs docbook-xsl itstool plus configure option --enable-man to regenerate man pages. Assuming the configure option --without-sha-crypt is added as everything uses pam then I think man 5 login.defs then should be correct apart from CROSS REFERENCES section.
Comment by David Runge (dvzrv) - Sunday, 06 November 2022, 13:21 GMT
The custom repo has now been moved to https://gitlab.archlinux.org/archlinux/packaging/upstream/shadow

In shadow 4.11.1-4 in [testing] I have applied distribution patches from https://gitlab.archlinux.org/archlinux/packaging/upstream/shadow/-/commits/v4.11.1.arch2 which allow me to drop most of the custom actions in package() by removing the unwanted utilities and man pages and adds the PAM overrides that we use.

Please give it a spin to ensure there's no major breakage, then I can start rebasing for an upgrade to 4.12.x.
Comment by David Runge (dvzrv) - Tuesday, 08 November 2022, 10:20 GMT
@loqs: I haven't adapted to your latest patch yet. It's supposed to be merged with the current 0001-Disable-replaced-tools-and-man-pages.patch [1], or should something be changed in my patch in favor of what you supplied?

[1] https://github.com/archlinux/svntogit-packages/blob/d7f9f0ae3b584995cecfdacc245d92a8b7acae37/trunk/0001-Disable-replaced-tools-and-man-pages.patch
Comment by David Runge (dvzrv) - Tuesday, 08 November 2022, 10:41 GMT
@loqs: Maybe I'm missing the context a bit, but it's likely rather related to the login.defs man page changes in 0002-Adapt-login.defs-for-PAM-and-util-linux.patch [1]? Or would that and 0001-Disable-replaced-tools-and-man-pages.patch both patches be affected?

[1] https://github.com/archlinux/svntogit-packages/blob/d7f9f0ae3b584995cecfdacc245d92a8b7acae37/trunk/0002-Adapt-login.defs-for-PAM-and-util-linux.patch
Comment by loqs (loqs) - Wednesday, 09 November 2022, 19:32 GMT
@dvrz I think it is covered by [1] but I can not be certain as either the mainboard or CPU of my Arch system has died, so I will only have web access for an unknown length of time.
Comment by David Runge (dvzrv) - Thursday, 05 January 2023, 10:37 GMT
Okay, I will close this ticket then, as we have now switched to using (a patched) version of upstream's login.defs.

Loading...