Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#72735 - [opendoas] Provide a default PAM configuration

Attached to Project: Community Packages
Opened by Ayush Agarwal (ayushnix) - Saturday, 13 November 2021, 13:42 GMT
Last edited by T.J. Townsend (blakkheim) - Friday, 16 June 2023, 03:13 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Ivy Foster (escondida)
T.J. Townsend (blakkheim)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
The upstream opendoas package has removed PAM configuration files in a commit[^1] after the latest available release version 6.8.1. A default PAM file should now be provided by the opendoas package.

In addition, if a regular user is using a different umask, such as 027, files created with doas will inherit the umask of the regular user. This can create confusion and broken systemd services due to insufficient read access. Since Arch Linux ships a default umask of 022 in /etc/profile, I think the following PAM configuration for doas might make sense,

https://github.com/Duncaen/OpenDoas/issues/31#issuecomment-642965285

#%PAM-1.0
auth include system-auth
account include system-auth
session include system-auth
session optional pam_umask.so usergroups umask=022

[^1]: https://github.com/Duncaen/OpenDoas/commit/cfa9f0d3b306d6c1287ec4f2aa42be29de66c9de

Additional info:
* package version(s) - opendoas 6.8.1-3

Steps to reproduce:
1. The commit linked above shows that PAM configuration has been removed in upstream.
2. Change the umask of a regular user to a non-default value, such as 027.
3. Executing 'doas vim /etc/systemd/system/sample.service' would create 'sample.service' with permissions of 640 which isn't desirable.
This task depends upon

Closed by  T.J. Townsend (blakkheim)
Friday, 16 June 2023, 03:13 GMT
Reason for closing:  Won't implement

Loading...