FS#69933 - [shadow] Use upstream login.defs
Attached to Project:
Arch Linux
Opened by lukpod (lukpod) - Wednesday, 10 March 2021, 16:30 GMT
Last edited by David Runge (dvzrv) - Thursday, 05 January 2023, 10:37 GMT
Opened by lukpod (lukpod) - Wednesday, 10 March 2021, 16:30 GMT
Last edited by David Runge (dvzrv) - Thursday, 05 January 2023, 10:37 GMT
|
Details
The upstream provides login.defs in the tarball and it is
more thorough.
https://github.com/shadow-maint/shadow/blob/master/etc/login.defs |
This task depends upon
Closed by David Runge (dvzrv)
Thursday, 05 January 2023, 10:37 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed with 4.12.3-2
Thursday, 05 January 2023, 10:37 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed with 4.12.3-2
Dropped:
ENCRYPT_METHOD SHA512
Added:
CHFN_AUTH yes
CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict
ENV_HZ HZ=100
ENVIRON_FILE /etc/environment
FAILLOG_ENAB yes
FTMP_FILE /var/log/btmp
LASTLOG_ENAB yes
MAIL_CHECK_ENAB yes
NOLOGINS_FILE /etc/nologin
NONEXISTENT /nonexistent
OBSCURE_CHECKS_ENAB yes
PASS_ALWAYS_WARN yes
PASS_CHANGE_TRIES 5
PASS_MIN_LEN 5
PORTTIME_CHECKS_ENAB yes
QUOTAS_ENAB yes
SUB_GID_COUNT 65536
SUB_GID_MAX 600100000
SUB_GID_MIN 100000
SUB_UID_COUNT 65536
SUB_UID_MAX 600100000
SUB_UID_MIN 100000
SU_WHEEL_ONLY no
Changed:
ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin -> PATH=/bin:/usr/bin
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin -> PATH=/sbin:/bin:/usr/sbin:/usr/bin
MOTD_FILE -> /etc/motd
SYS_GID_MIN 500 -> SYS_GID_MIN 101
SYS_UID_MIN 500 -> SYS_UID_MIN 101
UMASK 077 -> UMASK 022
configuration error - unknown item 'NONEXISTENT' (notify administrator)
configuration error - unknown item 'GRANT_AUX_GROUP_SUBIDS' (notify administrator)
I hadn't uncommented all the items so there may be more unknown ones.
Commented out with comment setting is unsupported [1]:
CHFN_AUTH
CRACKLIB_DICTPATH
ENV_HZ HZ
ENV_TZ
ENVIRON_FILE
FAILLOG_ENAB
FTMP_FILE
ISSUE_FILE
LASTLOG_ENAB
LOGIN_STRING
MAIL_CHECK_ENAB
MOTD_FILE
NOLOGINS_FILE
OBSCURE_CHECKS_ENAB
PASS_ALWAYS_WARN
PASS_CHANGE_TRIES
PASS_MAX_LEN
PASS_MIN_LEN
PORTTIME_CHECKS_ENAB
QUOTAS_ENAB
SU_WHEEL_ONLY
ULIMIT
Restored to Arch's current setting:
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
SYS_GID_MIN 500
SYS_UID_MIN 500
Added back:
ENCRYPT_METHOD SHA512
Supporting
FS#66068UMASK 022
HOME_MODE 0700
[1] https://github.com/shadow-maint/shadow/commit/71c6165dcd6b808fc1bf11e0dfb3692beb06221c
As in previous comment but with introductory comment from marekm added back to start of login.defs
TBD:
CONSOLE looks as though it is not used with pam enabled.
Is the introductory text still accurate?
SYS_GID_MIN / SYS_UID_MIN using the upstream value of 101 should not be an issue for any official package but would be AUR PKGBUILDs still using useradd -r.
ENV_SUPATH PATH / ENV_PATH PATH using the upstream values would remove /usr/local/bin.
ENCRYPT_METHOD SHA512 see
FS#67393UMASK / HOME_MODE see
FS#66068FS#45903.Just check if there is any there other use case, if not we can null it.
#ifndef USE_PAM
https://github.com/shadow-maint/shadow/blob/4.8.1/lib/getdef.c#L84 entry for option CONSOLE_GROUPS, CONSOLE entry is on the line below.
https://github.com/shadow-maint/shadow/blob/4.8.1/libmisc/console.c the console related functions is_listed and console are defined here. Line 132 is the only use of the option CONSOLE.
https://github.com/shadow-maint/shadow/blob/4.8.1/lib/prototypes.h#L352 one guarded use declaring function setup_uid_gid with parameter console plus one unguarded use declaring function console defined above.
https://github.com/shadow-maint/shadow/blob/4.8.1/libmisc/setugid.c#L123 defines function setup_uid_gid with parameter console declared above plus one related use in the same file both guarded.
https://github.com/shadow-maint/shadow/blob/4.8.1/libmisc/setugid.c#L134 only use of CONSOLE_GROUPS and is guarded in the same block as above.
https://github.com/shadow-maint/shadow/blob/4.8.1/src/login.c#L613 uses function console plus three related uses in the same file all guarded.
https://github.com/shadow-maint/shadow/blob/4.8.1/src/su.c#L713 uses function console plus two related uses in the same file all guarded.
Really needs someone else to cross check the above.
Edit:
As login,su,chsh,chfn,sg,nologin,vipw,vigr are provided by util-linux that needs to be checked as well.
So far MOTD_FILE is supported and a new option LOGIN_PLAIN_PROMPT that shadow does not support.
List of login.defs options util-linux supports I have found so far:
ALWAYS_SET_PATH
CHFN_RESTRICT
DEFAULT_HOME
ENV_PATH
ENV_ROOTPATH
ENV_SUPATH
FAIL_DELAY
HUSHLOGIN_FILE
LASTLOG_UID_MAX
LOGIN_KEEP_USERNAME
LOGIN_PLAIN_PROMPT
LOGIN_RETRIES
LOGIN_TIMEOUT
LOG_UNKFAIL_ENAB
MOTD_FILE
MOTD_FIRSTONLY
SYS_UID_MAX
SYS_UID_MIN
UID_MAX
UID_MIN
TTYGROUP
TTYPERM
Added back MOTD_FILE. This is set to an empty string in login.defs-arch.patch otherwise it will be displayed first by pam_motd then secondly by login.
The related comment needs adjustment to document this.
Edit:
Compared to the old login.defs:
Removed:
LOG_OK_LOGINS
SYSLOG_SU_ENAB
CONSOLE
SU_LOGFILE
TTYTYPE_FILE
SU_NAME
ERASECHAR
KILLCHAR
CONSOLE_GROUPS
Added 5cd04d03f94622c12220d4a6352824af081b8531.patch from upstream supporting yescrypt.
Added FS71393.patch supporting
FS#71393change default encryption method to yescrypt.Fedora includes all the options in the current list plus MOTD_FILE and SHA_CRYPT_MIN_ROUNDS which I believe are supported.
https://github.com/karelzak/util-linux/commit/5a528e2c6ff9735266fc2607c359e925b074bf2c
And I should ask for a /etc/motd.d directory in filesystem in this case,
FS#71797Edit:
Hmmm, motd is printed by pam_motd, right? Can we drop it from pambase and rely on util-linux's login?
Edit2:
https://github.com/karelzak/util-linux/commit/72b155ea6e25730d7c01d345cc2df269c2c47635
...what a mess.
Edit3:
Since pam_motd supports directories too (https://github.com/linux-pam/linux-pam/blob/v1.5.1/modules/pam_motd/pam_motd.c#L28) an option is keep current login.defs configuration (empty MOTD_FILE to silence util-linux's login) and drop pam_motd's "motd=/etc/motd" option from system-login (OR add motd_dir=/etc/motd.d to restrict it to /etc).
@marcosfrm I would suggest opening a feature request against pambase to amend the options passed to pam_motd.so in either of the ways you suggested.
I have first opted for just plain commenting the options, as I have added a few other fixes in trunk and would like to make sure they work as intended before proceeding with anything further.
If you could have a quick look, that'd be much appreciated, then I'll do a pkgrel bump.
PREVENT_NO_AUTH not supported by login or su from util-linux not listed in Fedora's login.defs and the only users I found in upstream shadow-maint are login and su.
SYSLOG_SU_ENAB not supported when pam is enabled
If testing goes fine we can go further from there.
Also noted console was missing from unsupported. Can also be applied to 4.12.3.
I would like to get some interoperability tickets with fileystem and shadow out of the way first.
Could the UMASK be changed back or HOME_MODE uncommented? See also
FS#66068FS#66068$ grep -Fr sha512 /etc/pam.d
/etc/pam.d/chpasswd:password required pam_unix.so sha512 shadow
/etc/pam.d/newusers:password required pam_unix.so sha512 shadow
/etc/pam.d/passwd:#password required pam_unix.so sha512 shadow use_authtok
/etc/pam.d/passwd:password required pam_unix.so sha512 shadow nullok
/etc/pam.d/system-auth:password required pam_unix.so try_first_pass nullok shadow sha512
$ grep -Frl sha512 /etc/pam.d | pacman -Qo -
/etc/pam.d/chpasswd is owned by shadow 4.11.1-3
/etc/pam.d/newusers is owned by shadow 4.11.1-3
/etc/pam.d/passwd is owned by shadow 4.11.1-3
/etc/pam.d/system-auth is owned by pambase 20211210-1
Edit: this is the
FS#67393issue.https://gitlab.archlinux.org/dvzrv/shadow/-/commits/v4.11.1.arch1
I will use this for packaging purposes from now on (after it has moved to a distribution/group location), as it also gives us the opportunity to more easily modify the files that we are currently replacing (less manual overhead in the PKGBUILD).
shadow-man-page-updates tags one section upstream appears to have missed which is not used when pam is enabled. Tags as no_foreign sections not used due to util-linux.
Needs docbook-xsl itstool plus configure option --enable-man to regenerate man pages. Assuming the configure option --without-sha-crypt is added as everything uses pam then I think man 5 login.defs then should be correct apart from CROSS REFERENCES section.
In shadow 4.11.1-4 in [testing] I have applied distribution patches from https://gitlab.archlinux.org/archlinux/packaging/upstream/shadow/-/commits/v4.11.1.arch2 which allow me to drop most of the custom actions in package() by removing the unwanted utilities and man pages and adds the PAM overrides that we use.
Please give it a spin to ensure there's no major breakage, then I can start rebasing for an upgrade to 4.12.x.
[1] https://github.com/archlinux/svntogit-packages/blob/d7f9f0ae3b584995cecfdacc245d92a8b7acae37/trunk/0001-Disable-replaced-tools-and-man-pages.patch
[1] https://github.com/archlinux/svntogit-packages/blob/d7f9f0ae3b584995cecfdacc245d92a8b7acae37/trunk/0002-Adapt-login.defs-for-PAM-and-util-linux.patch