[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #6367 [Internal Services/Tor Sysadmin Team]: make dedicated sudo passwords



#6367: make dedicated sudo passwords
-------------------------------------------------+-------------------------
 Reporter:  weasel                               |          Owner:  anarcat
     Type:  defect                               |         Status:
                                                 |  needs_review
 Priority:  Medium                               |      Milestone:
Component:  Internal Services/Tor Sysadmin Team  |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:                                       |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by anarcat):

 * status:  assigned => needs_review


Comment:

 couldn't do this yesterday as i was on vacation, and now it feels a bit
 late in the day to perform the change - i'd like to have time during the
 day to help people with problems if they happen.

 so i'm going to do this tomorrow morning instead.

 i've also notified the GR people specifically to see if this will cause
 any problems on their side. i've pushed the changes to a `sudo-ldap`
 branch on the puppetmaster, which is ready for review, but it's basically
 this patch set:

 {{{
 From 20850426446dab13c090932d8dbb13ccaeeeb3da Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@xxxxxxxxxx>
 Date: Tue, 15 Oct 2019 16:32:41 -0400
 Subject: [PATCH 1/2] cleanup sudo's pam config: reuse common-auth

 The only difference was `try_first_pass` that is missing from
 common-auth, but considering we're going to remove that line anyways,
 it's worth keeping that refactoring separate in history.
 ---
  modules/sudo/files/pam | 4 +---
  1 file changed, 1 insertion(+), 3 deletions(-)

 diff --git a/modules/sudo/files/pam b/modules/sudo/files/pam
 index 1621e8d3..05642199 100644
 --- a/modules/sudo/files/pam
 +++ b/modules/sudo/files/pam
 @@ -5,9 +5,7 @@

  #auth [authinfo_unavail=ignore success=done ignore=ignore default=die]
 pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd
  auth [authinfo_unavail=ignore success=done ignore=ignore default=ignore]
 pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd
 -auth    [success=1 default=ignore]      pam_unix.so nullok_secure
 try_first_pass
 -auth    requisite                       pam_deny.so
 -auth    required                        pam_permit.so

 +@include common-auth
  @include common-account
  @include common-session-noninteractive
 --
 2.20.1
 }}}

 {{{
 From b4c21e7e31b89e8b89476f16da8eb6bdfc666123 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@xxxxxxxxxx>
 Date: Tue, 15 Oct 2019 16:33:36 -0400
 Subject: [PATCH 2/2] disable /etc/password for sudo access (see #6367)

 ---
  modules/sudo/files/pam | 7 ++++---
  1 file changed, 4 insertions(+), 3 deletions(-)

 diff --git a/modules/sudo/files/pam b/modules/sudo/files/pam
 index 05642199..7e1ec366 100644
 --- a/modules/sudo/files/pam
 +++ b/modules/sudo/files/pam
 @@ -3,9 +3,10 @@
  ##
  #%PAM-1.0

 -#auth [authinfo_unavail=ignore success=done ignore=ignore default=die]
 pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd
 -auth [authinfo_unavail=ignore success=done ignore=ignore default=ignore]
 pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd
 +# use the LDAP-derived password file for sudo access
 +auth [authinfo_unavail=ignore success=done ignore=ignore default=die]
 pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd

 -@include common-auth
 +# disable /etc/password for sudo authentication, see #6367
 +#@include common-auth
  @include common-account
  @include common-session-noninteractive
 --
 2.20.1

 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6367#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs