Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 622666 - sys-apps/util-linux: Add su-l and su PAM configuration to util-linux ebuild
Summary: sys-apps/util-linux: Add su-l and su PAM configuration to util-linux ebuild
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords:
: 829710 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-06-25 07:06 UTC by petepata
Modified: 2021-12-20 23:07 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
simple ebuild addition (util-linux-2.35.1.ebuild.patch,401 bytes, patch)
2020-03-27 02:55 UTC, Kyle Elbert
Details | Diff
sample su-l pam file, I grabbed this one from Debian somewhere (su-l.pamd,137 bytes, text/plain)
2020-03-27 02:56 UTC, Kyle Elbert
Details

Note You need to log in before you can comment on or make changes to this bug.
Description petepata 2017-06-25 07:06:34 UTC
Starting with sys-apps/util-linux-2.29 the Gentoo ebuild installs the PAM configuration for runuser (see #484754).
To make things consistent the util-linux ebuild should also install the PAM configuration for su and su-l.

Currently /etc/pam.d/su-l is installed by no ebuild and /etc/pam.d/su is installed by sys-auth/pambase.

If that is too much hassle, I suggest adding a su-l config file to pambase.
Comment 1 Maciej S. Szmigiero 2019-11-23 15:40:27 UTC
Now that (thanks to bug #699930) is possible to use su from sys-apps/util-linux this bug started to actually bite:

server ~ # su --login
su: Authentication failure

This is because su from sys-apps/util-linux uses /etc/pam.d/su-l file when starting a login shell, but sys-auth/pambase only installs /etc/pam.d/su.

Either sys-auth/pambase should install /etc/pam.d/su-l file or
sys-apps/util-linux[su] should do so.
Comment 2 cyrillic 2019-11-24 02:52:39 UTC
(In reply to Maciej S. Szmigiero from comment #1)

> server ~ # su --login
> su: Authentication failure

I am having the same problem :
su from shadow actually works,
but su from util-linux does not.
Comment 3 Kyle Elbert 2020-03-27 02:55:05 UTC
Created attachment 626370 [details, diff]
simple ebuild addition

a small change to the ebuild and a su-l file from Debian fixes su.
Comment 4 Kyle Elbert 2020-03-27 02:56:05 UTC
Created attachment 626372 [details]
sample su-l pam file, I grabbed this one from Debian somewhere
Comment 5 Alex Efros 2020-05-27 15:11:22 UTC
I doubt proposed difference with /etc/pam.d/su is a good idea:

    session	optional	pam_keyinit.so force revoke

Here is what pam_keyinit(8) says:

       This module should not, generally, be invoked by programs like su, since it is usually
       desirable for the key set to percolate through to the alternate context. The keys have
       their own permissions system to manage this.
Comment 6 Kyle Elbert 2021-02-13 05:56:39 UTC
(In reply to Alex Efros from comment #5)
> I doubt proposed difference with /etc/pam.d/su is a good idea:
> 
>     session	optional	pam_keyinit.so force revoke
> 
> Here is what pam_keyinit(8) says:
> 
>        This module should not, generally, be invoked by programs like su,
> since it is usually
>        desirable for the key set to percolate through to the alternate
> context. The keys have
>        their own permissions system to manage this.

" -, -l, --login
           Provide an environment similar to what the user would expect had the user logged in directly."

so with the su-l file being used for this purpose, it sounds reasonable to have the session keyring replaced unconditionally (force) and for that new keyring to go away when it exits (revoke). Though I don't really know much about about pam personally, I can see that from the man page.
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-12-20 04:58:55 UTC
I think this is fixed by https://github.com/gentoo/gentoo/commit/e1a92e8706aaf62d1850fddcf2739323afc44bcd (sorry for not noticing the bug).

Note that we're now migrating to su from util-linux as shadow is deprecating it.
Comment 8 Xavier Miller 2021-12-20 08:05:53 UTC
Hi1,


util-linux cannot configure with USE="su -pam" :

configure: error: su selected, but required PAM header file not available
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-12-20 08:12:05 UTC
(In reply to Xavier Miller from comment #8)
> Hi1,
> 
> 
> util-linux cannot configure with USE="su -pam" :
> 
> configure: error: su selected, but required PAM header file not available

Please file a new bug with the full build.log and config.log. That said, if util-linux su needs PAM, there's not much we can do about that. shadow su supports no PAM but they're removing it in future. You can still enable it for now.
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-12-20 08:15:04 UTC
(In reply to Sam James from comment #9)
> (In reply to Xavier Miller from comment #8)
> > Hi1,
> > 
> > 
> > util-linux cannot configure with USE="su -pam" :
> > 
> > configure: error: su selected, but required PAM header file not available
> 
> Please file a new bug with the full build.log and config.log. That said, if
> util-linux su needs PAM, there's not much we can do about that. shadow su
> supports no PAM but they're removing it in future. You can still enable it
> for now.

Upstream say:
"Note: From this release forward, su from this package should be
considered deprecated. Please replace any users of it with su from
util-linux. Please open an issue if there is a problem with that.
We intend to remove it in an upcoming release."

Maybe you should file a bug with them saying you don't use PAM.
Comment 11 Larry the Git Cow gentoo-dev 2021-12-20 08:22:43 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fe07c3e46ee67b99c88c249cacaab79336e68682

commit fe07c3e46ee67b99c88c249cacaab79336e68682
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-12-20 08:22:02 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-12-20 08:22:36 +0000

    sys-apps/util-linux: su requires PAM
    
    Right now, util-linux su requires PAM -- shadow's doesn't.
    
    Bug: https://github.com/shadow-maint/shadow/issues/464
    Closes: https://bugs.gentoo.org/622666
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-apps/util-linux/util-linux-2.37.2-r3.ebuild | 2 +-
 sys-apps/util-linux/util-linux-9999.ebuild      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-12-20 08:24:24 UTC
(In reply to Sam James from comment #10)
> Maybe you should file a bug with them saying you don't use PAM.

I gave in and filed it https://github.com/shadow-maint/shadow/issues/464 ;)

But any further discussion we'll do in a new bug.
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-12-20 23:07:45 UTC
*** Bug 829710 has been marked as a duplicate of this bug. ***