subject:"Bug#1068378\:"

Processed: Re: Bug#1068378

2024-04-04 Thread Debian Bug Tracking System

Processing control commands:

> tags -1 patch
Bug #1068378 [xdm] xdm: pam_keyinit is missing from /etc/pam.d/xdm
Added tag(s) patch.

-- 
1068378: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068378
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1068378:

2024-04-04 Thread Lukasz Stelmach

Control: tags -1 patch

Bug#1068378: [PATCH] Add the pam_keyinit session module to create new sessionkeyring on login

2024-04-04 Thread Łukasz Stelmach

This commit replicates commits[1][2] from the openssh package.
Closes

[1] 
https://salsa.debian.org/ssh-team/openssh/-/commit/ca7f6f719ad5f168b25165caaff658f21c784c4e
[2] 
https://salsa.debian.org/ssh-team/openssh/-/commit/dc461e571bcc56f8d95e83c731007636d8e79da5

Closes: #1068378
---
 debian/rules  | 10 +-
 debian/xdm.pam| 19 ---
 debian/xdm.pam.in | 20 
 3 files changed, 29 insertions(+), 20 deletions(-)
 delete mode 100644 debian/xdm.pam
 create mode 100644 debian/xdm.pam.in

diff --git a/debian/rules b/debian/rules
index 5d2dbd3..ab9f5d4 100755
--- a/debian/rules
+++ b/debian/rules
@@ -38,6 +38,7 @@ ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
 endif
 
 DEB_HOST_ARCH  ?= $(shell dpkg-architecture -qDEB_HOST_ARCH)
+DEB_HOST_ARCH_OS   ?= $(shell dpkg-architecture -qDEB_HOST_ARCH_OS)
 DEB_HOST_GNU_TYPE  ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
 DEB_BUILD_ARCH_OS  ?= $(shell dpkg-architecture -qDEB_BUILD_ARCH_OS)
 DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
@@ -58,6 +59,13 @@ endif
 
 BUILD_DIR := build
 
+debian/xdm.pam: debian/xdm.pam.in
+ifeq ($(DEB_HOST_ARCH_OS),linux)
+   sed 's/^@IF_KEYINIT@//' $< > $@
+else
+   sed '/^@IF_KEYINIT@/d' $< > $@
+endif
+
 stampdir_targets+=config
 config: $(STAMP_DIR)/config
 $(STAMP_DIR)/config: $(STAMP_DIR)/patch
@@ -121,7 +129,7 @@ clean: xsfclean
dh_clean
 
 # Build architecture-dependent files here.
-binary-arch: $(STAMP_DIR)/install
+binary-arch: $(STAMP_DIR)/install debian/xdm.pam
dh_testdir
dh_testroot
 
diff --git a/debian/xdm.pam b/debian/xdm.pam
deleted file mode 100644
index 1108a71..000
--- a/debian/xdm.pam
+++ /dev/null
@@ -1,19 +0,0 @@
-auth   requisite   pam_nologin.so
-auth   requiredpam_env.so
-auth   requiredpam_env.so envfile=/etc/default/locale
-
-# SELinux needs to be the first session rule. This ensures that any
-# lingering context has been cleared. Without this it is possible
-# that a module could execute code in the wrong domain.
-session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so close
-session requiredpam_loginuid.so
-# SELinux needs to intervene at login time to ensure that the process
-# starts in the proper default security context. Only sessions which are
-# intended to run in the user's context should be run after this.
-session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so open
-sessionrequiredpam_limits.so
-
-@include common-auth
-@include common-account
-@include common-session
-@include common-password
diff --git a/debian/xdm.pam.in b/debian/xdm.pam.in
new file mode 100644
index 000..92c46b7
--- /dev/null
+++ b/debian/xdm.pam.in
@@ -0,0 +1,20 @@
+auth   requisite   pam_nologin.so
+auth   requiredpam_env.so
+auth   requiredpam_env.so envfile=/etc/default/locale
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible
+# that a module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so close
+session requiredpam_loginuid.so
+@IF_KEYINIT@session optionalpam_keyinit.so force revoke
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so open
+sessionrequiredpam_limits.so
+
+@include common-auth
+@include common-account
+@include common-session
+@include common-password
-- 
2.39.2

Bug#1068378: xdm: pam_keyinit is missing from /etc/pam.d/xdm

2024-04-04 Thread Łukasz Stelmach

Package: xdm
Version: 1:1.1.11-3+b2
Severity: normal
X-Debbugs-Cc: none, Łukasz Stelmach 

Dear Maintainer,

pam_keyinit is missing from the /etc/pam.d/xdm configuration
file. Therefore, it is not possible to access the session keyring from
programs running in a session started by xdm.

The patch will follow.

PS. Below there is a modifide pam file from my system which makes it
possible to access the session keyring.

-- System Information:
Debian Release: 12.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: arm64, armel

Kernel: Linux 6.5.0-0.deb12.4-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages xdm depends on:
ii  cpp4:12.2.0-3
ii  debconf [debconf-2.0]  1.5.82
ii  libc6  2.36-9+deb12u4
ii  libcrypt1  1:4.4.33-2
ii  libpam0g   1.5.2-6+deb12u1
ii  libselinux13.4-1+b6
ii  libx11-6   2:1.8.4-2+deb12u2
ii  libxau61:1.0.9-1
ii  libxaw72:1.0.14-1
ii  libxdmcp6  1:1.1.2-3
ii  libxext6   2:1.3.4-1+b1
ii  libxft22.3.6-1
ii  libxinerama1   2:1.1.4-3
ii  libxmu62:1.1.3-3
ii  libxpm41:3.5.12-1.1+deb12u1
ii  libxrender11:0.9.10-1.1
ii  libxt6 1:1.2.1-1.1
ii  lsb-base   11.6
ii  procps 2:4.0.2-3
ii  sysvinit-utils [lsb-base]  3.06-4
ii  x11-utils  7.7+5
ii  x11-xserver-utils  7.7+9+b1

xdm recommends no packages.

xdm suggests no packages.

-- Configuration Files:
/etc/pam.d/xdm changed:
authrequisite   pam_nologin.so
authrequiredpam_env.so
authrequiredpam_env.so envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so close
session requiredpam_loginuid.so
session optionalpam_keyinit.so force revoke
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so open
session requiredpam_limits.so
@include common-auth
@include common-account
@include common-session
@include common-password


-- debconf information:
* shared/default-x-display-manager: xdm
  xdm/daemon_name: /usr/bin/xdm
  xdm/stop_running_server_with_children: false

-- 
Łukasz Stelmach
Samsung R&D Institute Poland
Samsung Electronics


signature.asc
Description: PGP signature

Processed: Re: Bug#1068378

Bug#1068378:

Bug#1068378: [PATCH] Add the pam_keyinit session module to create new sessionkeyring on login

Bug#1068378: xdm: pam_keyinit is missing from /etc/pam.d/xdm

4 matches

Site Navigation

Mail list logo

Footer information