[Bug 1081947] New: PAM module pam_keyinit is still not included in the PAM stack
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 Bug ID: 1081947 Summary: PAM module pam_keyinit is still not included in the PAM stack Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: bnc-team-screening@forge.provo.novell.com Reporter: fbui@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Bug #1045886 revealed the lack of the integration of the PAM module "pam_keyinit". The pam_keyinit PAM module ensures that the invoking process has a session keyring other than the user default session keyring. The created session keyring will be linked to the user keyring. Even if it currently works without the integration of "pam_keyinit", in this case the user session keyring is used as fallback, it's strongly recommended to use a session-keyring instead especially for root user, see man user-session-keyring(7). That would also has the benefit to re-enable the keyring support in systemd where each system service gets its own session keyring automatically not linked with the user-keyring (the root one). pam-config gained support for the configuration of pam_keyinit recently [1] but it's still not used and therefore pam_keyinit is still not integrated in the PAM stack. [1] https://build.opensuse.org/request/show/565816 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c1
Franck Bui
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
Franck Bui
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
Josef Möllers
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c2
--- Comment #2 from Josef Möllers
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c3
--- Comment #3 from Franck Bui
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
Franck Bui
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c4
Josef Möllers
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c6
--- Comment #6 from Josef Möllers
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c7
--- Comment #7 from Franck Bui
Re comment #3: Why should it be in the stack?
where else would you want to it to be ? The kernel keyring stuff is a general infra provided by the kernel which needs special care during session creation so that all applications can rely on it if needed.
The lengthy discussion in Bug #1045886 shows that it would not be advisable to just automatically add pam_keyinit to pam config files!
what did you make think so ? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c8
--- Comment #8 from Josef Möllers
(In reply to Josef Möllers from comment #6)
Re comment #3: Why should it be in the stack?
where else would you want to it to be ?
But how should it end up there? AFAIK the only way is to explicitly call pam-config!
The kernel keyring stuff is a general infra provided by the kernel which needs special care during session creation so that all applications can rely on it if needed.
The lengthy discussion in Bug #1045886 shows that it would not be advisable to just automatically add pam_keyinit to pam config files!
what did you make think so ?
The quote from "man pam_keyinit": "This module should not, generally, be invoked by programs like su, since it is usually desirable for the key set to percolate through to the alternate context. The keys have their own permissions system to manage this." An idea in the discussion had been to write some rpmlint-skript which would force the maintaines to include pam_keyinit into their pam config files. But I can only guess howone would do that. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c9
--- Comment #9 from Franck Bui
(In reply to Franck Bui from comment #7)
(In reply to Josef Möllers from comment #6)
Re comment #3: Why should it be in the stack?
where else would you want to it to be ?
But how should it end up there? AFAIK the only way is to explicitly call pam-config!
Not for basic/core modules. AFAICS by default /etc/pam.d/common-session contains:
session required pam_limits.so session required pam_unix.so try_first_pass session optional pam_umask.so session optional pam_env.so session optional pam_systemd.so
IIUC none of these modules rely on an external package to set them up. And I just realized that even pam_systemd is part of this "core" list... I didn't know that and I guess the use of "pam-config" in systemd.spec becomes useless... Perhaps you should have a look at how other distros made it ? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c10
--- Comment #10 from Josef Möllers
Perhaps you should have a look at how other distros made it ?
BTDT! Other distributions have two sets of common-* and module-specific files: one set *with* "force" and one set *without* "force" and the commands need to load the appropriate module-specific file: i.e. if run with "-i", "sudo" must load "/etc/pam.d/sudo-i" which includes "common-session-force" and if run without "-i" it must load "/etc/pam.d/sudo" which includes "common-session". Then "pam" would ship with both sets of common-* files. This requires a number of packages to be modified: gdm, util-linux, xorg-x11-server, sudo, openssh, to name but a few. I have found no way to automagically detect the requirement of "force". -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c11
Josef Möllers
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c12
Josef Möllers
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c13
--- Comment #13 from Stanislav Brabec
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c14
--- Comment #14 from Josef Möllers
Is it a request for Tumbleweed only, or should it be done for Leap 15 & SLE 15 as well?
Yes. Although the request is for TW, it should be included in all future versions of SLE.
And additional question:
pam files are %config(noreplace). The default behavior of rpm: If the file is not changed, use the new copy. If the file was changed, save new copy as foo.rpmnew and keep the old instance active.
If you want to force the line into user customized pam files, you would need a special %post hacks.
I don't think that would be necessary. Thanks. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c15
--- Comment #15 from Stanislav Brabec
(In reply to Stanislav Brabec from comment #13)
Is it a request for Tumbleweed only, or should it be done for Leap 15 & SLE 15 as well?
Yes. Although the request is for TW, it should be included in all future versions of SLE.
Does this include a change of SLE 15 GA? If yes, I will submit it there. If not, please open/clone this bug for SLE 15 SP1 (it is not yet clean, whether SLE 15 SP1 will inherit util-linux from GA or Tumbleweed). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c16
--- Comment #16 from Josef Möllers
Josef Möllers, comment 14:
(In reply to Stanislav Brabec from comment #13)
Is it a request for Tumbleweed only, or should it be done for Leap 15 & SLE 15 as well?
Yes. Although the request is for TW, it should be included in all future versions of SLE.
Does this include a change of SLE 15 GA? If yes, I will submit it there. If not, please open/clone this bug for SLE 15 SP1 (it is not yet clean, whether SLE 15 SP1 will inherit util-linux from GA or Tumbleweed).
Yes, please submit to SLE 15! Josef -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c17
Stanislav Brabec
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c19
--- Comment #19 from Josef Möllers
Please review: https://build.opensuse.org/request/show/596006
The relevant change only: https://build.opensuse.org/package/rdiff/home:sbrabec:branches:util-linux- b1081947/util-linux?linkrev=base&rev=3
Looks fine to me. One little issue: you refer to su.pamd in the changes files but haven't actually changed it (which is OK). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c20
Josef Möllers
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c22
Kristyna Streitova
Hello Krystina,
As you can see from the comments 11 and following, pam_keyinit.so must be added to the sudo configuration: * in the "sudo -l" case, "force must be specified * in the "sudo" case, no "force" must be specified.
You probably mean "sudo -i".
My understanding is that 1) a "sudo-l" file should be created in "/etc/pam.d" with the same contents as "/etc/pam.d/sudo" PLUS the line "session optional pam_keyinit.so force revoke"
Yes, and the line "session optional pam_keyinit.so revoke" should be added to the original "/etc/pam.d/sudo" file.
2) plugins/sudoers/defaults.c must be changed as to use that file for def_pam_login_service.
It seems that this is not needed. Upstream added the support for a sudo-i pam.d file [1] while ago. So we just need to build it with "--with-pam-login" option.
Please make the changes ASAP (if possible for SLE-15), then clear NEEDINFO and assign back to me.
Please review my OBS request. If it's ok then I will send it also to SLE15. OBS request: https://build.opensuse.org/request/show/597150 The relevant change only: https://build.opensuse.org/package/rdiff/home:kstreitova:branches:Base:System/sudo?linkrev=base&rev=3 Thanks! [1] https://www.sudo.ws/repos/sudo/rev/06d34f16520b -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c23
--- Comment #23 from Josef Möllers
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c24
Kristyna Streitova
The changes are OK. Thanks and please assign back to me.
Ok, submitted for sudo in: | Codestream | Request | |------------------|---------| | openSUSE:Factory | #597343 | | SUSE:SLE-15:GA | #162078 | I'm assigning it back to you. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c25
Josef Möllers
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c27
--- Comment #27 from Josef Möllers
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c28
--- Comment #28 from Josef Möllers
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c29
Josef Möllers
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c30
--- Comment #30 from Josef Möllers
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c31
Josef Möllers
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c32
Dominique Leuenberger
Pingping Dominique!
Pfft - what a long bug - Just a hint for next time you have some multi-package touching stuff: make a meta-bug and children bugs relevant to each of the packages you want changed; also helps you get things done in parallel. As for gdm: There are currently four (well, 3, one is a link) pam files installed: -rw-r--r-- 1 root root 293 Jul 3 17:57 gdm -rw-r--r-- 1 root root 363 Jul 3 17:57 gdm-autologin -rw-r--r-- 1 root root 223 Jul 3 17:57 gdm-launch-environment lrwxrwxrwx 1 root root 3 Jul 3 17:57 gdm-password -> gdm I assume you want/need "session optional pam_keyinit.so force revoke" gdm/gdm-autologin and gdm-password, and without force in gdm-launch-environment? Or force not needed in any of them? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c33
--- Comment #33 from Dominique Leuenberger
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c34
--- Comment #34 from Josef Möllers
for reference: on Fedora, all seem to be using 'force' - so I'll do the same for Tumbleweed
Likewise Ubuntu, I was just about to write that ;-) OK, thanks. And ... as to the "meta-bug" and "children": Never been there, never done that, but I'll keep that in mind. Thanks. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c35
Dominique Leuenberger
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c36
Josef Möllers
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c45
Josef Möllers
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c51
Franck Bui
Please review: https://build.opensuse.org/request/show/596006
The relevant change only: https://build.opensuse.org/package/rdiff/home:sbrabec:branches:util-linux- b1081947/util-linux?linkrev=base&rev=3
I believe this ended up to the following commit: https://build.opensuse.org/package/rdiff/Base:System/util-linux?linkrev=base&rev=372 If so, you forgot to add pam_keyinit in /etc/pam.d/login too. Can you please do so ? Thanks. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
Franck Bui
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c52
Stanislav Brabec
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c53
Franck Bui
Done: https://build.opensuse.org/request/show/680184
Could you verify that it is correct?
According to pam_keyring man page: This module should be included as early as possible in a PAM configuration, so that other PAM modules can attach tokens to the keyring. Therefore I would put it earlier in the list, ie before "common-session".
I will submit the change to SLE 15 SP1.
Should I add this to the next update in SLE 15?
The most important distro to fix is Factory/Tumbleweed at the moment since we're planning to re-introduce the keyring mode stuff in systemd soon. As far as SLE15+ is concerned, it's not strictly mandatory since we don't plan to re-enable the keyring stuff but it shouldn't hurt either. I think if you add it to SLE15-SP1, it also makes sense to submit it to SLE15 especially if other packages did it already. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c54
Stanislav Brabec
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c55
Franck Bui
Thanks, request was updated: https://build.opensuse.org/request/show/680624
Other distros tend to put pam_keyinit below pam_loginuid.
Last question: We have also remote.pamd. It is used by login for remote logins (i. e. logins from terminals that are not recognized as local).
Should I add pam_keyinit support there as well?
Well not sure but I don't see any reason why a user shouldn't have a new session keyring setup if he logs in via telnelt (for example). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c56
Franck Bui
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c60
Stanislav Brabec
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c61
Franck Bui
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c62
Stanislav Brabec
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c64
Stanislav Brabec
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c74
Stanislav Brabec
/etc/pam.d/login fi etc.
d) Invent a special check/tool that can track pam file changes. I was working on a check that will trigger build failure whenever PAM file is changed and migration script is not made. I can finish it and make a RPM macro for that. (Also complicated, as it requires digging into old releases, but once it will be done, it will be safe for future.) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c109
--- Comment #109 from OBSbugzilla Bot
participants (2)
-
bugzilla_noreply@novell.com
-
bugzilla_noreply@suse.com