Summary: | >=sys-apps/shadow-4.8-r3: chpasswd: (user root) pam_chauthtok() failed, error: | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Agostino Sarubbo <ago> |
Component: | Current packages | Assignee: | Gentoo's Team for Core System packages <base-system> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | michael, zlogene |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=702252 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | Patch to sys-apps/shadow-4.8{-r3,1-r1}.ebuild plus PAM config for testing |
Description
Agostino Sarubbo
2020-03-13 13:51:38 UTC
Broken since https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7da130a443ab9811b242ae2cbf8259cb85d43b1 Dunno how to fix this properly. PAM is really not something I know very well After doing (incomplete) tests, I found these binaries being affected: chpasswd chgpasswd newusers Seems they are still linked against libpam even though we're configuring with --disable-account-tools-setuid. Will investigate. chgpasswd is not affected because it really, really only uses pam if account-tools-setid is also in effect. It always manipulates /etc/group and /etc/gshadow directly. Testcase on a system with stock sys-apps/shadow-4.8-r3: $ echo test2:foobar | chgpasswd $ su - test # id uid=1001(test) gid=1001(test) groups=1001(test),986(su) # newgrp test2 Password: Invalid password. # newgrp test2 Password: <foo> # id uid=1001(test) gid=10001(test2) groups=10001(test2),986(su),1001(test) # newusers and chpasswd use the password management group to update the password even if account-tools-setuid is disabled. This allows to check the password through the standard PAM config e.g. for quality against cracklib or not even put it into /etc/shadow but an LDAP server. I totally missed that when reviewing the PAM logic. :( As soon as I create /etc/pam.d/chpasswd and /etc/pam.d/newuser with the following content they start to function again: #%PAM-1.0 password include system-auth Before: $ echo test:foobar | chpasswd chpasswd: (user test) pam_chauthtok() failed, error: Authentication token manipulation error chpasswd: (line 1, user test) password not changed After: $ echo test:foobar | chpasswd BAD PASSWORD: it is based on a dictionary word BAD PASSWORD: is too simple $ su - test # su - test Password: <foobar> # id uid=1001(test) gid=1001(test) groups=1001(test),986(su) Any auth, account or session modules are unnecessary and dangerous since the tools only call into the password management group. The others would only be necessary for the account-tools-setuid functionality we've unconditionally disabled. Patch for testing forthcoming shortly. Created attachment 618684 [details, diff]
Patch to sys-apps/shadow-4.8{-r3,1-r1}.ebuild plus PAM config for testing
Any better name for files/pam.d-include/chpasswd?
Happy to do another PR on GitHub if helpful.
(In reply to Michael Weiser from comment #5) > Created attachment 618684 [details, diff] [details, diff] > Patch to sys-apps/shadow-4.8{-r3,1-r1}.ebuild plus PAM config for testing > > Any better name for files/pam.d-include/chpasswd? > > Happy to do another PR on GitHub if helpful. [late to the party] Yes. I was thinking about the same. Will test it. The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=29e539125f8c1a419ae2b2e1a1d59866317dba1c commit 29e539125f8c1a419ae2b2e1a1d59866317dba1c Author: Michael Weiser <michael@weiser.dinsnail.net> AuthorDate: 2020-03-16 18:23:07 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2020-03-16 18:24:18 +0000 sys-apps/shadow: Revbumps to fix pam usage of chpasswd and newusers Closes: https://bugs.gentoo.org/712372 Package-Manager: Portage-2.3.94, Repoman-2.3.21 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> sys-apps/shadow/files/pam.d-include/chpasswd | 3 +++ sys-apps/shadow/{shadow-4.8-r3.ebuild => shadow-4.8-r4.ebuild} | 4 ++++ sys-apps/shadow/{shadow-4.8.1-r1.ebuild => shadow-4.8.1-r2.ebuild} | 4 ++++ 3 files changed, 11 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8c8fd5c62336d881e3201eb432f646aeb31f1cef commit 8c8fd5c62336d881e3201eb432f646aeb31f1cef Author: Sam James <sam@gentoo.org> AuthorDate: 2023-02-17 01:46:15 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-02-17 01:49:28 +0000 sys-apps/shadow: fix chfn typo in PAM configuration Bug: https://bugs.gentoo.org/712372 Closes: https://bugs.gentoo.org/894998 Fixes: c7da130a443ab9811b242ae2cbf8259cb85d43b1 Signed-off-by: Sam James <sam@gentoo.org> sys-apps/shadow/{shadow-4.12.3.ebuild => shadow-4.12.3-r1.ebuild} | 4 ++-- sys-apps/shadow/{shadow-4.13-r1.ebuild => shadow-4.13-r2.ebuild} | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) |