[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #6367 [Internal Services/Tor Sysadmin Team]: make dedicated sudo passwords

#6367: make dedicated sudo passwords
-------------------------------------------------+-------------------------
 Reporter:  weasel                               |          Owner:  anarcat
     Type:  defect                               |         Status:
                                                 |  needs_review
 Priority:  Medium                               |      Milestone:
Component:  Internal Services/Tor Sysadmin Team  |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:                                       |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by weasel):

 Replying to [comment:12 anarcat]:
 > {{{
 >
 > -#auth [authinfo_unavail=ignore success=done ignore=ignore default=die]
 pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd
 > -auth [authinfo_unavail=ignore success=done ignore=ignore
 default=ignore] pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd
 > +# use the LDAP-derived password file for sudo access
 > +auth [authinfo_unavail=ignore success=done ignore=ignore default=die]
 pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd
 >
 > -@include common-auth
 > +# disable /etc/password for sudo authentication, see #6367
 > +#@include common-auth
 >  @include common-account
 >  @include common-session-noninteractive
 > }}}

 I'm not convined.  Having `authinfo_unavail=ignore` and `ignore=ignore`
 without an explicit next item on the auth stack seems fishy.

 Here's what Debian does, and I think it's sane:
 {{{
 auth [authinfo_unavail=ignore success=done ignore=ignore default=die]
 pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd
 auth required pam_unix.so nullok_secure try_first_pass
 }}}

 This does auth against `pam_pwdfile`, and only if an entry is not there do
 we fall back to `pam_unix`.  Either that or a flat out deny seems like a
 good idea.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6367#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs