Your message dated Mon, 7 Mar 2016 09:36:00 +0100 with message-id <[email protected]> and subject line Re: Bug#816680: debian-security-support: postinst script hangs when /etc/pam.d/su optimized has caused the Debian Bug report #816680, regarding debian-security-support: postinst script hangs when /etc/pam.d/su optimized to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 816680: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816680 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: debian-security-support Version: 2015.04.04~deb7u1 Severity: wishlist Dear Maintainer, postinst script takes the risk to call su to invoke check-support-status as the user 'debian-security-support', but hangs when the line 'auth sufficient pam_rootok.so' is missing or disabled in /etc/pam.d/su. To avoid possible configuration conflict and provide a hint to sysadmin when postinst interfere with /etc/pam.d/su rules, please add a preinst script to the package. For example, the script debian-security-support.preinst could look like this: #!/bin/sh ## Check if /etc/pam.d/su allows root to login as another user ## without prompting for password. If no, abort installation logging an ## error to help sysadmin to fix the problem. case $1 in install|upgrade) if ! grep -qE '^\s*auth\s+sufficient\s+pam_rootok\.so' /etc/pam.d/su; then echo "'auth sufficient pam_rootok.so' not found in /etc/pam.d/su" |\ logger -st "/usr/bin/dpkg --configure $DPKG_MAINTSCRIPT_PACKAGE" exit 1 fi ;; esac Regards, Mederic Claassen
--- End Message ---
--- Begin Message ---Hi, On Sat, 05 Mar 2016, Aide Ordi 49 wrote: > Is it a necessity that ulysses could login (and spoof) as penelope and > telemachus without knowing their passwords, even if ulysses can browse > their files? I don't think so and even the program runas.exe > Microsoft Windows forbid that behaviour by default. As soon as you have root powers, you can do that, even if you configure PAM differently... because root can edit the PAM configuration, or just compile a program that does the "setuid" call, or use sudo. If someone has root rights, requiring a password for su is not going to protect anyone from anything. It can only break your system like you noticed. I'm surprised that debian-security-support is the only package that broke on you but I'm sure that we can find plenty other examples in the Debian repositories. > That's why I would prefer this login capability for root was not enabled > in /etc/pam.d/su by default. You know that the root user doesn't have to login to "penelope" to change/read files of penelope without her noticing? Even create new files... they can be "chown"'ed after their creation. > What I say is just: maybe one day, another person will try to install > debian-security-support after he has customized /etc/pam.d/su. > In this case, a message via syslog or frontend provided by a preinst > script could help when su make dpkg to freeze, especialy if that person > have not enough skills to debug and understand what > /var/lib/dpkg/info/debian-security-support.postinst do. If that person doesn't have those skills, then they would not have edited /etc/pam.d/su. Anyway I'm going to close this ticket because while your suggestion was full of good intent, in fact I believe that it's not a good idea. It would be a needless complication. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
--- End Message ---

