Hi Martijn, hi Gaudenz!
On Sat, Oct 11, 2014 at 12:54:29PM +0200, Gaudenz Steinlin wrote:
>
> Hi Martijn
>
> Martijn van Brummelen <mart...@brumit.nl> writes:
>
> > Im not sure if the suggested patch is ok or not, or provide a better patch?
> > I asked on debian devel mailinglist[0]]/irc but did not get much response.
> > It would be a pitty if Jessie would be released without it.
> > Can someone advice me on this?
>
> Surely not having the package in testing and thus jessie is the worst
> option. So there needs to be a fix for this bug very soon. Here are my
> thoughts about it:
>
> 1. IMO the severity and tags of this bug are overrated. One possible
> solution is to just downgrade this to wishlist and remove the security
> tag. I'm not at all convinced that this is a security problem in your
> package. One thing you have to make sure in this case is that you
> don't overwrite any configuration already in place. So if it's set to
> optional in the authentication phase before the upgrade it should
> stay at this setting. Everything else is a Debian Policy violation.
> Not overwriting the existing configuration solves the security
> problem. There is no security problem on new installs IMO. If someone
> installs a script that allows unconditional authentication and does
> not check the pam-script configuration, then this is a configuration
> error outside of your package.
>
> 2. Basically this is an issue about the right default policy for the
> authentication phase of libpam-scripts. This is IMO something you as
> the maintainer can decide. Every value is right in some cases and
> wrong in others. There is no single value that will suit everyone. I
> proposed sufficient as the default value, but I can live with every
> setting and agree that there are good reasons to change the setting.
> Probably optional is indeed the most conservative setting. But also
> the one that means that the setting must be changed for many use
> cases.
I almost agree with the above. I have no idea if the package is more
often used with Gaudenz' settings ('sufficient') or with the
'optional' I suggested. (Before this discussion, I never thought
about the way Gaudenz used the package, but that might be due to
my limited view.)
I can live with both settings too, of course. Perhaps it would be
good to mention Gaudenz' use case in the documentation (especially if
'sufficient' is used), to make users aware of the importance not to
use pam_script_auth where pam_script_ses_open should be used.
I think, as Gaudenz suggests, Martijn as the maintainer should decide
which default setting he prefers. In any case and after this thorough
discussion, I agree that the 'bug' should not be the reason to not
ship the package in jessie. (I was still kind of 'shocked' by being
able to log into my test setup as root without password when I
reported the bug. Today I would probably not rate the issue as
'grave'. )
Best regards,
Andi
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
