Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 712372

Summary: >=sys-apps/shadow-4.8-r3: chpasswd: (user root) pam_chauthtok() failed, error:
Product: Gentoo Linux Reporter: Agostino Sarubbo <ago>
Component: Current packagesAssignee: Gentoo's Team for Core System packages <base-system>
Status: RESOLVED FIXED    
Severity: major CC: michael, zlogene
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=702252
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: Patch to sys-apps/shadow-4.8{-r3,1-r1}.ebuild plus PAM config for testing

Description Agostino Sarubbo gentoo-dev 2020-03-13 13:51:38 UTC
With sys-apps/shadow-4.8-r3:

~ # echo "root:asd" | chpasswd 
chpasswd: (user root) pam_chauthtok() failed, error:
Authentication token manipulation error
chpasswd: (line 1, user root) password not changed


I tried if pam rebuild helps but it didn't.
Downgrading to shadow-4.6 fixes the issue for me
Comment 1 Lars Wendler (Polynomial-C) gentoo-dev 2020-03-13 14:36:37 UTC
Broken since https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7da130a443ab9811b242ae2cbf8259cb85d43b1

Dunno how to fix this properly. PAM is really not something I know very well
Comment 2 Lars Wendler (Polynomial-C) gentoo-dev 2020-03-13 15:15:28 UTC
After doing (incomplete) tests, I found these binaries being affected:

chpasswd
chgpasswd
newusers
Comment 3 Michael Weiser 2020-03-13 17:51:48 UTC
Seems they are still linked against libpam even though we're configuring with --disable-account-tools-setuid. Will investigate.
Comment 4 Michael Weiser 2020-03-13 19:59:04 UTC
chgpasswd is not affected because it really, really only uses pam if account-tools-setid is also in effect. It always manipulates /etc/group and /etc/gshadow directly. Testcase on a system with stock sys-apps/shadow-4.8-r3:

$ echo test2:foobar | chgpasswd
$ su - test
# id
uid=1001(test) gid=1001(test) groups=1001(test),986(su)
# newgrp test2
Password:
Invalid password.
# newgrp test2
Password: <foo>
# id
uid=1001(test) gid=10001(test2) groups=10001(test2),986(su),1001(test)
#

newusers and chpasswd use the password management group to update the password even if account-tools-setuid is disabled. This allows to check the password through the standard PAM config e.g. for quality against cracklib or not even put it into /etc/shadow but an LDAP server. I totally missed that when reviewing the PAM logic. :(

As soon as I create /etc/pam.d/chpasswd and /etc/pam.d/newuser with the following content they start to function again:

#%PAM-1.0
password   include      system-auth

Before:
$ echo test:foobar | chpasswd
chpasswd: (user test) pam_chauthtok() failed, error:
Authentication token manipulation error
chpasswd: (line 1, user test) password not changed

After:
$ echo test:foobar | chpasswd
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: is too simple
$ su - test
# su - test
Password: <foobar>
# id
uid=1001(test) gid=1001(test) groups=1001(test),986(su)

Any auth, account or session modules are unnecessary and dangerous since the tools only call into the password management group. The others would only be necessary for the account-tools-setuid functionality we've unconditionally disabled.

Patch for testing forthcoming shortly.
Comment 5 Michael Weiser 2020-03-13 20:10:48 UTC
Created attachment 618684 [details, diff]
Patch to sys-apps/shadow-4.8{-r3,1-r1}.ebuild plus PAM config for testing

Any better name for files/pam.d-include/chpasswd?

Happy to do another PR on GitHub if helpful.
Comment 6 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2020-03-15 14:28:20 UTC
(In reply to Michael Weiser from comment #5)
> Created attachment 618684 [details, diff] [details, diff]
> Patch to sys-apps/shadow-4.8{-r3,1-r1}.ebuild plus PAM config for testing
> 
> Any better name for files/pam.d-include/chpasswd?
> 
> Happy to do another PR on GitHub if helpful.

[late to the party]

Yes. I was thinking about the same. Will test it.
Comment 7 Larry the Git Cow gentoo-dev 2020-03-16 18:24:24 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=29e539125f8c1a419ae2b2e1a1d59866317dba1c

commit 29e539125f8c1a419ae2b2e1a1d59866317dba1c
Author:     Michael Weiser <michael@weiser.dinsnail.net>
AuthorDate: 2020-03-16 18:23:07 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-03-16 18:24:18 +0000

    sys-apps/shadow: Revbumps to fix pam usage of chpasswd and newusers
    
    Closes: https://bugs.gentoo.org/712372
    Package-Manager: Portage-2.3.94, Repoman-2.3.21
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 sys-apps/shadow/files/pam.d-include/chpasswd                       | 3 +++
 sys-apps/shadow/{shadow-4.8-r3.ebuild => shadow-4.8-r4.ebuild}     | 4 ++++
 sys-apps/shadow/{shadow-4.8.1-r1.ebuild => shadow-4.8.1-r2.ebuild} | 4 ++++
 3 files changed, 11 insertions(+)