Changeset bc7e5a7

Timestamp:

01/12/2022 07:37:19 AM (2 years ago)

Author:

Pierre Labastie <pierre.labastie@…>

Branches:

11.1, 11.2, 11.3, 12.0, 12.1, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal

Children:

c26cfe08

Parents:

d128a3c

git-author:

Pierre Labastie <pierre.labastie@…> (01/12/2022 07:31:54 AM)

git-committer:

Pierre Labastie <pierre.labastie@…> (01/12/2022 07:37:19 AM)

Message:

Fix PAM config files of shadow apps

shadow applications chpasswd and newusers use the "password" type,
and expect to be able to pass the password to the PAM module. But
we use pam_permit.so, which does nothing except return PAM_SUCCESS.
So the applications themselves do nothing without returning an
error. Change the config files to include system-password.
Also clean up the config files so that only the types used by the
applications appear.
Fixes #15950

Files:

• introduction/welcome/changelog.xml (modified) (1 diff)
• postlfs/security/shadow.xml (modified) (3 diffs)

introduction/welcome/changelog.xml

@@ -43 +43 @@
     -->
     <listitem>
+      <para>January 12th, 2022</para>
+      <itemizedlist>
+        <listitem>
+          <para>[pierre] - Change PAM configuration files of shadow
+          applications so that only the types really used appear, and
+          use system-password for the password type when needed. Fixes
+          <ulink url="&blfs-ticket-root;15950">#15950</ulink>.</para>
+        </listitem>
+      </itemizedlist>
+    </listitem>
+
+    <listitem>
       <para>January 11th, 2022</para>
       <itemizedlist>

postlfs/security/shadow.xml

@@ -462 +462 @@
 
       <sect4>
+        <title>'chpasswd' and 'newusers'</title>
+
+<screen role="root"><userinput>cat &gt; /etc/pam.d/chpasswd &lt;&lt; "EOF"
+<literal># Begin /etc/pam.d/chpasswd
+
+# always allow root
+auth      sufficient  pam_rootok.so
+
+# include system auth and account settings
+auth      include     system-auth
+account   include     system-account
+password  include     system-password
+
+# End /etc/pam.d/chpasswd</literal>
+EOF
+
+sed -e /chpasswd/newusers/ /etc/pam.d/chpasswd >/etc/pam.d/newusers</userinput></screen>
+      </sect4>
+
+      <sect4>
         <title>'chage'</title>
 
@@ -470 +490 @@
 auth      sufficient  pam_rootok.so
 
-# include system auth, account, and session settings
+# include system auth and account settings
 auth      include     system-auth
 account   include     system-account
-session   include     system-session
-
-# Always permit for authentication updates
-password  required    pam_permit.so
 
 # End /etc/pam.d/chage</literal>
@@ -483 +499 @@
 
       <sect4>
-        <title>Other common programs</title>
-        <!--<title>'chfn', 'chgpasswd', 'chgpasswd', 'chsh', 'groupadd', 'groupdel',
-        'groupmems', 'groupmod', 'newusers', 'useradd', 'userdel' and
-        'usermod'</title>-->
-
-<screen role="root"><userinput>for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \
-               groupmems groupmod newusers useradd userdel usermod
+        <title>Other shadow utilities</title>
+
+<screen role="root"><userinput>for PROGRAM in chfn chgpasswd chsh groupadd groupdel \
+               groupmems groupmod useradd userdel usermod
 do
     install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM}