Bug#906752: sudo, pam_keyinit, what to do?
* Marc Haber [220714 14:10]: > On Thu, Jul 14, 2022 at 12:20:48PM +0200, Chris Hofstaedtler wrote: > > Well, the pam_keyinit man page says it was written by David Howells > > , but I don't know if he is still working on > > it. > > I reached out to that address a few months ago, they didnt bother > replying. > > > This openSUSE bug seems to touch on related questions: > > https://bugzilla.suse.com/show_bug.cgi?id=1081947 > > Lesson learned: The major distributions ALL do not know what they're > doing, they're blindly copying from each other. And nobody cares. Yes, and I think in this case nobody really knows what the expected behaviour is. Judging by the man page, su, runuser, sudo should probably NOT invoke pam_keyinit, expect if run with a flag simulating login (su/runuser -l, sudo -i?). As we have seen before, there's also a "force" flag, and I really have no idea why it exists or what happens if "force" is not given. My current thinking: 1) should figure out what "force" really does, and more importantly: what happens if "force" is not given 2) su-l, runuser-l, sudo-i should probably call pam_keyinit with force 3) depending on 1), su, runuser, sudo pam files should either all invoke pam_keyinit.so, or none of them should. Chris
Bug#906752: sudo, pam_keyinit, what to do?
On Thu, Jul 14, 2022 at 12:20:48PM +0200, Chris Hofstaedtler wrote: > Well, the pam_keyinit man page says it was written by David Howells > , but I don't know if he is still working on > it. I reached out to that address a few months ago, they didnt bother replying. > This openSUSE bug seems to touch on related questions: > https://bugzilla.suse.com/show_bug.cgi?id=1081947 Lesson learned: The major distributions ALL do not know what they're doing, they're blindly copying from each other. And nobody cares. Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
Bug#906752: sudo, pam_keyinit, what to do?
Hi Marc, * Marc Haber [220705 15:53]: > I'm coming back to this after being busy with other things. > > On Sun, Feb 06, 2022 at 05:09:10PM +0100, Chris Hofstaedtler wrote: > > * Marc Haber [220206 12:36]: > > > in sudo, we have currently the situation whether to add calls to > > > pam_keyinit in our pam configuration files. There is quite a number of > > > packages doing this, but the pam_keyinit documentation advises "programs > > > like su" against doing so. However, in Debian, /etc/pam.d/su-l > > > references pam_keyinit, while /etc/pam.d/su doesn't. On the other hand, > > > doas doesnt seem to reference pam_keyinit at all. > > > > > > If sudo goes the way to mimic what su does, we would reference > > > pam_keyinit in /etc/pam.d/sudo-i which is our form of giving the caller > > > an interactive session, but not in /etc/pam.d/sudo. > > > > > > May I ask for you rationale to do things the way you did them for su and > > > pam_keyinit? Your insights might help us to take a wise decision for > > > sudo. > > > > I do not know why this was done for su-l and not su. My speculation > > would be that we have inherited the su-l PAM config from Fedora, and > > the su PAM config from src:shadow before 2018. Maybe the distinction > > is an accident. [..] > > It would appear to me that keyutils and pam_keyinit, and most of the > > util-linux PAM config originate in Fedora(/RH). The Fedora folks > > are probably the ones to ask how all of this is supposed to work. > > Chris, > Can you give me a pointer to whom in Fedora I'm supposed to reach out? Well, the pam_keyinit man page says it was written by David Howells , but I don't know if he is still working on it. This openSUSE bug seems to touch on related questions: https://bugzilla.suse.com/show_bug.cgi?id=1081947 Unfortunately the only real doc appears to be the man page :-| Chris
Bug#906752: sudo, pam_keyinit, what to do?
Hello Marc, Chris, Sorry for my late (and possibly pretty lame) reply. On Tue, Jul 05, 2022 at 03:17:19PM +0200, Marc Haber wrote: > > On Sun, Feb 06, 2022 at 05:09:10PM +0100, Chris Hofstaedtler wrote: > > * Marc Haber [220206 12:36]: [...] > > > May I ask for you rationale to do things the way you did them for su and > > > pam_keyinit? Your insights might help us to take a wise decision for > > > sudo. > > > > I do not know why this was done for su-l and not su. My speculation > > would be that we have inherited the su-l PAM config from Fedora, and > > the su PAM config from src:shadow before 2018. Maybe the distinction > > is an accident. > > > > Andreas, you worked on the su takeover from src:shadow. Do you have > > insights to share? > > Andreas, did you read this? [...] I have a very bad memory which is why I try to write down as much as possible in bug reports, commit messages, etc to leave hints for my future self. I need to dig to figure things out myself, but I think the above description is basically correct. (If there's any message from me that you have a problem with interpretting what it means, please point me to it and I can try to interpret my own bad grammar to figure out what I tried to write.) Regards, Andreas Henriksson
Bug#906752: sudo, pam_keyinit, what to do?
Hi Chris, thanks for trying to help back in February. I'm coming back to this after being busy with other things. On Sun, Feb 06, 2022 at 05:09:10PM +0100, Chris Hofstaedtler wrote: > * Marc Haber [220206 12:36]: > > in sudo, we have currently the situation whether to add calls to > > pam_keyinit in our pam configuration files. There is quite a number of > > packages doing this, but the pam_keyinit documentation advises "programs > > like su" against doing so. However, in Debian, /etc/pam.d/su-l > > references pam_keyinit, while /etc/pam.d/su doesn't. On the other hand, > > doas doesnt seem to reference pam_keyinit at all. > > > > If sudo goes the way to mimic what su does, we would reference > > pam_keyinit in /etc/pam.d/sudo-i which is our form of giving the caller > > an interactive session, but not in /etc/pam.d/sudo. > > > > May I ask for you rationale to do things the way you did them for su and > > pam_keyinit? Your insights might help us to take a wise decision for > > sudo. > > I do not know why this was done for su-l and not su. My speculation > would be that we have inherited the su-l PAM config from Fedora, and > the su PAM config from src:shadow before 2018. Maybe the distinction > is an accident. > > Andreas, you worked on the su takeover from src:shadow. Do you have > insights to share? Andreas, did you read this? > It would appear to me that keyutils and pam_keyinit, and most of the > util-linux PAM config originate in Fedora(/RH). The Fedora folks > are probably the ones to ask how all of this is supposed to work. Chris, Can you give me a pointer to whom in Fedora I'm supposed to reach out? Greetings Marc
Bug#906752: sudo, pam_keyinit, what to do?
Control: tags -1 help Control: tags 939357 help thanks On Wed, Feb 02, 2022 at 12:44:44PM +0100, Marc Haber wrote: > So we need to make up our minds whether to follow up the pam_keyinit > maintainers or Red Hat. Maybe the PAM maintainer can comment here? For the record, the Red Hat maintainer of pam_keyinit didn't bother replying. So the next thing is to follow Steve's advice to reach out to -devel to get consensus. I have currently other things on my plate and would not like to open just another issue here, I am therefore postponing this on my personal schedule. Other team members or people who want to help, please reach out to -devel at will. Thanks in advance. Greetings Marc
Bug#906752: sudo, pam_keyinit, what to do?
Hello Marc, Hello Andreas (added to CC:), * Marc Haber [220206 12:36]: > in sudo, we have currently the situation whether to add calls to > pam_keyinit in our pam configuration files. There is quite a number of > packages doing this, but the pam_keyinit documentation advises "programs > like su" against doing so. However, in Debian, /etc/pam.d/su-l > references pam_keyinit, while /etc/pam.d/su doesn't. On the other hand, > doas doesnt seem to reference pam_keyinit at all. > > If sudo goes the way to mimic what su does, we would reference > pam_keyinit in /etc/pam.d/sudo-i which is our form of giving the caller > an interactive session, but not in /etc/pam.d/sudo. > > May I ask for you rationale to do things the way you did them for su and > pam_keyinit? Your insights might help us to take a wise decision for > sudo. I do not know why this was done for su-l and not su. My speculation would be that we have inherited the su-l PAM config from Fedora, and the su PAM config from src:shadow before 2018. Maybe the distinction is an accident. Andreas, you worked on the su takeover from src:shadow. Do you have insights to share? > On Sat, Feb 27, 2021 at 06:38:00PM +0100, Hilko Bengen wrote: > > The pam_keyring(8) manpage advises against adding pam_keyinit > > > > , > > | This module should not, generally, be invoked by programs like su, > > | since it is usually desirable for the key set to percolate through to > > | the alternate context. The keys have their own permissions system to > > | manage this. > > ` > > > > However, there's no mentioning of the issue described here. > > > > For what it's worth, RHEL/CentOS 7 ships an /etc/pam.d/sudo which > > contains a line. > > > > , > > | sessionoptional pam_keyinit.so revoke > > ` > > > > and they also seem to have different intended behavior for interactive > > usage – there's a separate /etc/pam.d/sudo-i which contains > > > > , > > | sessionoptional pam_keyinit.so force revoke > > ` I will note that our runuser(-l) PAM config also mirrors this: runuser: session optionalpam_keyinit.so revoke runuser-l: sessionoptionalpam_keyinit.so force revoke It would appear to me that keyutils and pam_keyinit, and most of the util-linux PAM config originate in Fedora(/RH). The Fedora folks are probably the ones to ask how all of this is supposed to work. > Thanks for your help, which is greatly appreciated. Sorry that I cannot add much useful info here. Chris
Bug#906752: sudo, pam_keyinit, what to do?
X-Debbugs-Cc: util-li...@packages.debian.org Dear Util-Linux Maintainers, in sudo, we have currently the situation whether to add calls to pam_keyinit in our pam configuration files. There is quite a number of packages doing this, but the pam_keyinit documentation advises "programs like su" against doing so. However, in Debian, /etc/pam.d/su-l references pam_keyinit, while /etc/pam.d/su doesn't. On the other hand, doas doesnt seem to reference pam_keyinit at all. If sudo goes the way to mimic what su does, we would reference pam_keyinit in /etc/pam.d/sudo-i which is our form of giving the caller an interactive session, but not in /etc/pam.d/sudo. May I ask for you rationale to do things the way you did them for su and pam_keyinit? Your insights might help us to take a wise decision for sudo. On Sat, Feb 27, 2021 at 06:38:00PM +0100, Hilko Bengen wrote: > The pam_keyring(8) manpage advises against adding pam_keyinit > > , > | This module should not, generally, be invoked by programs like su, > | since it is usually desirable for the key set to percolate through to > | the alternate context. The keys have their own permissions system to > | manage this. > ` > > However, there's no mentioning of the issue described here. > > For what it's worth, RHEL/CentOS 7 ships an /etc/pam.d/sudo which > contains a line. > > , > | sessionoptional pam_keyinit.so revoke > ` > > and they also seem to have different intended behavior for interactive > usage – there's a separate /etc/pam.d/sudo-i which contains > > , > | sessionoptional pam_keyinit.so force revoke > ` Thanks for your help, which is greatly appreciated. Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
Bug#906752: sudo, pam_keyinit, what to do?
On Wed, Feb 02, 2022 at 12:44:44PM +0100, Marc Haber wrote: > X-Debbugs-CC: vor...@debian.org > thanks > > On Sat, Feb 27, 2021 at 06:38:00PM +0100, Hilko Bengen wrote: > > The pam_keyring(8) manpage advises against adding pam_keyinit I guess this is supposed to be pam_keyinit(8) since I do find the text there. > > , > > | This module should not, generally, be invoked by programs like su, > > | since it is usually desirable for the key set to percolate through to > > | the alternate context. The keys have their own permissions system to > > | manage this. > > ` > > However, there's no mentioning of the issue described here. > > For what it's worth, RHEL/CentOS 7 ships an /etc/pam.d/sudo which > > contains a line. > > , > > | sessionoptional pam_keyinit.so revoke > > ` > > and they also seem to have different intended behavior for interactive > > usage – there's a separate /etc/pam.d/sudo-i which contains > > , > > | sessionoptional pam_keyinit.so force revoke > > ` > So we need to make up our minds whether to follow up the pam_keyinit > maintainers or Red Hat. Maybe the PAM maintainer can comment here? I would suggest consulting the maintainers of other packages that currently ship references to pam_keyinit and try to get a consensus with them. For example, /etc/pam.d/su-l does reference pam_keyinit in Debian, which seems like it directly contradicts the above manpage but addresses this exact issue. I believe debian-devel is the appropriate for venue for such a discussion. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: PGP signature
Bug#906752: sudo, pam_keyinit, what to do?
X-Debbugs-CC: vor...@debian.org thanks On Sat, Feb 27, 2021 at 06:38:00PM +0100, Hilko Bengen wrote: > The pam_keyring(8) manpage advises against adding pam_keyinit > > , > | This module should not, generally, be invoked by programs like su, > | since it is usually desirable for the key set to percolate through to > | the alternate context. The keys have their own permissions system to > | manage this. > ` > > However, there's no mentioning of the issue described here. > > For what it's worth, RHEL/CentOS 7 ships an /etc/pam.d/sudo which > contains a line. > > , > | sessionoptional pam_keyinit.so revoke > ` > > and they also seem to have different intended behavior for interactive > usage – there's a separate /etc/pam.d/sudo-i which contains > > , > | sessionoptional pam_keyinit.so force revoke > ` So we need to make up our minds whether to follow up the pam_keyinit maintainers or Red Hat. Maybe the PAM maintainer can comment here? Greetings Marc
Bug#906752: sudo, pam_keyinit, what to do?
The pam_keyring(8) manpage advises against adding pam_keyinit , | This module should not, generally, be invoked by programs like su, | since it is usually desirable for the key set to percolate through to | the alternate context. The keys have their own permissions system to | manage this. ` However, there's no mentioning of the issue described here. For what it's worth, RHEL/CentOS 7 ships an /etc/pam.d/sudo which contains a line. , | sessionoptional pam_keyinit.so revoke ` and they also seem to have different intended behavior for interactive usage – there's a separate /etc/pam.d/sudo-i which contains , | sessionoptional pam_keyinit.so force revoke ` Cheers, -Hilko
