[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #6367 [Internal Services/Tor Sysadmin Team]: make dedicated sudo passwords
#6367: make dedicated sudo passwords
-------------------------------------------------+-------------------------
Reporter: weasel | Owner: anarcat
Type: defect | Status:
| needs_review
Priority: Medium | Milestone:
Component: Internal Services/Tor Sysadmin Team | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by anarcat):
* status: assigned => needs_review
Comment:
couldn't do this yesterday as i was on vacation, and now it feels a bit
late in the day to perform the change - i'd like to have time during the
day to help people with problems if they happen.
so i'm going to do this tomorrow morning instead.
i've also notified the GR people specifically to see if this will cause
any problems on their side. i've pushed the changes to a `sudo-ldap`
branch on the puppetmaster, which is ready for review, but it's basically
this patch set:
{{{
From 20850426446dab13c090932d8dbb13ccaeeeb3da Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@xxxxxxxxxx>
Date: Tue, 15 Oct 2019 16:32:41 -0400
Subject: [PATCH 1/2] cleanup sudo's pam config: reuse common-auth
The only difference was `try_first_pass` that is missing from
common-auth, but considering we're going to remove that line anyways,
it's worth keeping that refactoring separate in history.
---
modules/sudo/files/pam | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/modules/sudo/files/pam b/modules/sudo/files/pam
index 1621e8d3..05642199 100644
--- a/modules/sudo/files/pam
+++ b/modules/sudo/files/pam
@@ -5,9 +5,7 @@
#auth [authinfo_unavail=ignore success=done ignore=ignore default=die]
pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd
auth [authinfo_unavail=ignore success=done ignore=ignore default=ignore]
pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd
-auth [success=1 default=ignore] pam_unix.so nullok_secure
try_first_pass
-auth requisite pam_deny.so
-auth required pam_permit.so
+@include common-auth
@include common-account
@include common-session-noninteractive
--
2.20.1
}}}
{{{
From b4c21e7e31b89e8b89476f16da8eb6bdfc666123 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@xxxxxxxxxx>
Date: Tue, 15 Oct 2019 16:33:36 -0400
Subject: [PATCH 2/2] disable /etc/password for sudo access (see #6367)
---
modules/sudo/files/pam | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/modules/sudo/files/pam b/modules/sudo/files/pam
index 05642199..7e1ec366 100644
--- a/modules/sudo/files/pam
+++ b/modules/sudo/files/pam
@@ -3,9 +3,10 @@
##
#%PAM-1.0
-#auth [authinfo_unavail=ignore success=done ignore=ignore default=die]
pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd
-auth [authinfo_unavail=ignore success=done ignore=ignore default=ignore]
pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd
+# use the LDAP-derived password file for sudo access
+auth [authinfo_unavail=ignore success=done ignore=ignore default=die]
pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd
-@include common-auth
+# disable /etc/password for sudo authentication, see #6367
+#@include common-auth
@include common-account
@include common-session-noninteractive
--
2.20.1
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6367#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs