Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[staging] pam: 1.3.1 -> 1.5.1 #107185

Merged
merged 1 commit into from Dec 23, 2020
Merged

[staging] pam: 1.3.1 -> 1.5.1 #107185

merged 1 commit into from Dec 23, 2020

Conversation

NeQuissimus
Copy link
Member

Motivation for this change

Update

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@NeQuissimus NeQuissimus changed the title pam: 1.3.1 -> 1.5.1 [staging] pam: 1.3.1 -> 1.5.1 Dec 19, 2020
@andir
Copy link
Member

andir commented Dec 19, 2020

Here are some of the changes from the release notes:

Linux-PAM release 1.5.1
* pam_unix: fixed CVE-2020-27780 - authentication bypass when a user
            doesn't exist and root password is blank
* pam_faillock: added nodelay option to not set pam_fail_delay
* pam_wheel: use pam_modutil_user_in_group to check for the group membership
             with getgrouplist where it is available

Linux-PAM release 1.5.0
* Multiple minor bug fixes, portability fixes, and documentation improvements.
* Extended libpam API with pam_modutil_check_user_in_passwd function.
* configure: added --disable-unix option to disable build of pam_unix module.
* pam_faillock: changed /run/faillock/$USER permissions from 0600 to 0660.
* pam_limits: added support for nonewprivs item.
* pam_motd: read motd files with target user credentials skipping unreadable ones.
* pam_pwhistory: added a SELinux helper executable.
* pam_unix, pam_usertype: implemented avoidance of certain timing attacks.
* pam_wheel: implemented PAM_RUSER fallback for the case when getlogin fails.
* Removed deprecated pam_cracklib module, use pam_passwdqc (from passwdqc project)
  or pam_pwquality (from libpwquality project) instead.
* Removed deprecated pam_tally and pam_tally2 modules, use pam_faillock instead.
* pam_env: Reading of the user environment is deprecated and will be removed
	   at some point in the future.
* libpam: pam_modutil_drop_priv() now correctly sets the target user's
          supplementary groups, allowing pam_motd to filter messages accordingly


Linux-PAM release 1.4.0
* Multiple minor bug fixes and documentation improvements
* Fixed grammar of messages printed via pam_prompt
* Added support for a vendor directory and libeconf
* configure: Added --enable-Werror option to enable -Werror build
* configure: Allowed disabling documentation through --disable-doc
* pam_get_authtok_verify: Avoid duplicate password verification
* pam_cracklib: Fixed parsing of options without arguments
* pam_env: Changed the default to not read the user .pam_environment file
* pam_exec: Require a user name to be specified before the command is executed
* pam_faillock: New module for locking after multiple auth failures
* pam_group, pam_time: Fixed logical error with multiple ! operators
* pam_keyinit: In pam_sm_setcred do the same as in pam_sm_open_session
* pam_lastlog: Do not log info about failed login if the session was opened
	       with PAM_SILENT flag
* pam_lastlog: Limit lastlog file use by LASTLOG_UID_MAX option in login.defs
* pam_lastlog: With 'unlimited' option prevent SIGXFSZ due to reduced 'fsize'
	       limit
* pam_mkhomedir: Fixed return value when the user is unknown
* pam_motd: Export MOTD_SHOWN=pam after showing MOTD
* pam_motd: Support multiple motd paths specified, with filename overrides
* pam_namespace: Added a systemd service, which creates the namespaced
		 instance parent directories during boot
* pam_namespace: Support for noexec, nosuid and nodev flags for tmpfs mounts
* pam_selinux: Check unknown object classes or permissions in current policy
* pam_selinux: Fall back to log to syslog if audit logging fails
* pam_setquota: New module to set or modify disk quotas on session start
* pam_shells: Recognize /bin/sh as the default shell
* pam_succeed_if: Fixed potential override of the default prompt
* pam_succeed_if: Support lists in group membership checks
* pam_time: Added conffile= option to specify an alternative configuration file
* pam_tty_audit: If kernel audit is disabled return PAM_IGNORE
* pam_umask: Added new 'nousergroups' module argument and allowed specifying
	     the default for usergroups at build-time
* pam_unix: Added 'nullresetok' option to allow resetting blank passwords
* pam_unix: Report unusable hashes found by checksalt to syslog
* pam_unix: Return PAM_AUTHINFO_UNAVAIL when shadow entry is unavailable
* pam_unix: Support for (gost-)yescrypt hashing methods
* pam_unix: Use bcrypt b-variant when it bcrypt is chosen
* pam_usertype: New module to tell if uid is in login.defs ranges
* Fixed and documented possible values returned by pam_get_user()
* Added new API call pam_start_confdir() for special applications that
  cannot use the system-default PAM configuration paths and need to
  explicitly specify another path
* Deprecated pam_cracklib: this module is no longer built by default and will
  be removed in the next release, use pam_passwdqc (from passwdqc project)
  or pam_pwquality (from libpwquality project) instead
* Deprecated pam_tally and pam_tally2: these modules are no longer built
  by default and will be removed in the next release, use pam_faillock instead

@mweinelt mweinelt added this to WIP in Staging via automation Dec 19, 2020
@mweinelt mweinelt moved this from WIP to Needs review in Staging Dec 19, 2020
@mweinelt
Copy link
Member

mweinelt commented Dec 20, 2020
edited

Unlabeling security as 1.3.1 was not vulnerable. Per linux-pam/linux-pam#300 (comment) the issue was introduced with release 1.5.0.

@GrahamcOfBorg eval

@NeQuissimus NeQuissimus merged commit d703c1e into NixOS:staging Dec 23, 2020
Staging automation moved this from Needs review to Done Dec 23, 2020
@NeQuissimus NeQuissimus deleted the pam_1_5_1 branch December 23, 2020 17:33
@FRidh FRidh mentioned this pull request Jan 3, 2021
Closed
@flokli
Copy link
Contributor

flokli commented Jan 3, 2021

This removed pam_tally, in favor of pam_faillock (see release notes), but the former is still referenced in nixos/modules/security/pam.nix.

We didn't add pam_faillock either. There seem to be more regressions with su too: #108313

@NeQuissimus what's up with this? Should we revert this for now?

@ghost
Copy link

ghost commented Jan 3, 2021

We don't need to revert, changing pam_tally to pam_faillock also fixes the su issue.

@ghost ghost mentioned this pull request Jan 3, 2021
Merged
10 tasks
FRidh pushed a commit that referenced this pull request Jan 3, 2021
@FRidh
nixos/pam: use pam_faillock instead of pam_tally
018072e 
Fixes #108313

\#107185 removed pam_tally, in favor of pam_faillock (see release notes).
@kampka kampka mentioned this pull request Jan 12, 2021
Closed
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
10.rebuild-darwin: 0 10.rebuild-linux: 501+ 10.rebuild-linux: 5001+
Projects
Staging
  
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@NeQuissimus @andir @mweinelt @flokli