With sys-apps/shadow-4.8-r3: ~ # echo "root:asd" | chpasswd chpasswd: (user root) pam_chauthtok() failed, error: Authentication token manipulation error chpasswd: (line 1, user root) password not changed I tried if pam rebuild helps but it didn't. Downgrading to shadow-4.6 fixes the issue for me
Broken since https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7da130a443ab9811b242ae2cbf8259cb85d43b1 Dunno how to fix this properly. PAM is really not something I know very well
After doing (incomplete) tests, I found these binaries being affected: chpasswd chgpasswd newusers
Seems they are still linked against libpam even though we're configuring with --disable-account-tools-setuid. Will investigate.
chgpasswd is not affected because it really, really only uses pam if account-tools-setid is also in effect. It always manipulates /etc/group and /etc/gshadow directly. Testcase on a system with stock sys-apps/shadow-4.8-r3: $ echo test2:foobar | chgpasswd $ su - test # id uid=1001(test) gid=1001(test) groups=1001(test),986(su) # newgrp test2 Password: Invalid password. # newgrp test2 Password: <foo> # id uid=1001(test) gid=10001(test2) groups=10001(test2),986(su),1001(test) # newusers and chpasswd use the password management group to update the password even if account-tools-setuid is disabled. This allows to check the password through the standard PAM config e.g. for quality against cracklib or not even put it into /etc/shadow but an LDAP server. I totally missed that when reviewing the PAM logic. :( As soon as I create /etc/pam.d/chpasswd and /etc/pam.d/newuser with the following content they start to function again: #%PAM-1.0 password include system-auth Before: $ echo test:foobar | chpasswd chpasswd: (user test) pam_chauthtok() failed, error: Authentication token manipulation error chpasswd: (line 1, user test) password not changed After: $ echo test:foobar | chpasswd BAD PASSWORD: it is based on a dictionary word BAD PASSWORD: is too simple $ su - test # su - test Password: <foobar> # id uid=1001(test) gid=1001(test) groups=1001(test),986(su) Any auth, account or session modules are unnecessary and dangerous since the tools only call into the password management group. The others would only be necessary for the account-tools-setuid functionality we've unconditionally disabled. Patch for testing forthcoming shortly.
Created attachment 618684 [details, diff] Patch to sys-apps/shadow-4.8{-r3,1-r1}.ebuild plus PAM config for testing Any better name for files/pam.d-include/chpasswd? Happy to do another PR on GitHub if helpful.
(In reply to Michael Weiser from comment #5) > Created attachment 618684 [details, diff] [details, diff] > Patch to sys-apps/shadow-4.8{-r3,1-r1}.ebuild plus PAM config for testing > > Any better name for files/pam.d-include/chpasswd? > > Happy to do another PR on GitHub if helpful. [late to the party] Yes. I was thinking about the same. Will test it.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=29e539125f8c1a419ae2b2e1a1d59866317dba1c commit 29e539125f8c1a419ae2b2e1a1d59866317dba1c Author: Michael Weiser <michael@weiser.dinsnail.net> AuthorDate: 2020-03-16 18:23:07 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2020-03-16 18:24:18 +0000 sys-apps/shadow: Revbumps to fix pam usage of chpasswd and newusers Closes: https://bugs.gentoo.org/712372 Package-Manager: Portage-2.3.94, Repoman-2.3.21 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> sys-apps/shadow/files/pam.d-include/chpasswd | 3 +++ sys-apps/shadow/{shadow-4.8-r3.ebuild => shadow-4.8-r4.ebuild} | 4 ++++ sys-apps/shadow/{shadow-4.8.1-r1.ebuild => shadow-4.8.1-r2.ebuild} | 4 ++++ 3 files changed, 11 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8c8fd5c62336d881e3201eb432f646aeb31f1cef commit 8c8fd5c62336d881e3201eb432f646aeb31f1cef Author: Sam James <sam@gentoo.org> AuthorDate: 2023-02-17 01:46:15 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-02-17 01:49:28 +0000 sys-apps/shadow: fix chfn typo in PAM configuration Bug: https://bugs.gentoo.org/712372 Closes: https://bugs.gentoo.org/894998 Fixes: c7da130a443ab9811b242ae2cbf8259cb85d43b1 Signed-off-by: Sam James <sam@gentoo.org> sys-apps/shadow/{shadow-4.12.3.ebuild => shadow-4.12.3-r1.ebuild} | 4 ++-- sys-apps/shadow/{shadow-4.13-r1.ebuild => shadow-4.13-r2.ebuild} | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-)
