tags 566879 + patch fixed-upstream pending thanks On Wed, Jan 27, 2010 at 09:23:33AM +0000, Roger Leigh wrote: > On Tue, Jan 26, 2010 at 05:38:16PM +0100, Aurelien Jarno wrote: > > On Tue, Jan 26, 2010 at 11:43:53AM +0000, Roger Leigh wrote: > > > On Tue, Jan 26, 2010 at 01:35:50AM +0100, Aurelien Jarno wrote: > > > Does the same occur if you run schroot as root? > > > > No schroot as root works fine. > > I just need to work out why it's trying user authentication in the first > place, then I should have a fix soon.
OK, I have a fix! (attached)
It was due to the fact that schroot and dchroot use separate
authentication methods. schroot uses auth_pam (PAM) and
dchroot/dchroot-dsc use auth_null (no authentication--it
always fails). Normally, authentication is skipped if one
is allowed access. However, root falls through and is
required to undergo authentication:
[sbuild/sbuild-session.cc, get_chroot_auth_status()]
else // Not in any groups
{
if (this->authstat->get_ruid() == 0)
status = auth::change_auth(status, auth::STATUS_USER);
else
status = auth::change_auth(status, auth::STATUS_FAIL);
Now, when using PAM, we succeed in running, but not because this is
hard-coded. It's due to having
# This allows root to use schroot without passwords (normal operation)
auth sufficient pam_rootok.so
in /etc/pam.d/schroot. Since dchroot doesn't use PAM the auth_null
method makes all authentication attempts immediately fail (since user-
switching and authentication are forbidden). I've relaxed
auth_null::authenticate to allow this if the local (chroot) and remote
(system) users match.
However... thinking about this, this does introduce a (minor) security
hole. Hypothetically, if pam_rootok was removed from
/etc/pam.d/schroot, dchroot could be used to bypass this PAM policy
restriction. In reality, root can gain access via other methods so
it's not /really/ that bad.
auth_null was primarily introduced to allow schroot to build on systems
(Hurd, kfreebsd) which might lack Linux-PAM. Since dchroot/dchroot-dsa
don't allow user-switching, I moved them to use it as well, since PAM
wasn't needed. But thinking about it, I might switch back to using PAM
unilaterally (on platforms where it is available).
This has been committed into git, but I'll need to ponder the
implications for a little bit before I upload it.
Regards,
Roger
--
.''`. Roger Leigh
: :' : Debian GNU/Linux http://people.debian.org/~rleigh/
`. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/
`- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
signature.asc
Description: Digital signature
