Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: a2eed09a8c85
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 9c86e8faf54f
Choose a head ref
  • 2 commits
  • 2 files changed
  • 1 contributor

Commits on Dec 21, 2018

  1. security.pam: make pam_unix.so required, not sufficient 

    Having pam_unix set to "sufficient" means early-succeeding account
management group, as soon as pam_unix.so is succeeding.

This is not sufficient. For example, nixos modules might install nss
modules for user lookup, so pam_unix.so succeeds, and we end the stack
successfully, even though other pam account modules might want to do
more extensive checks.

Other distros seem to set pam_unix.so to 'required', so if there are
other pam modules in that management group, they get a chance to do some
validation too.

For SSSD, @PsyanticY already added a workaround knob in
#31969, while stating this should
be the default anyway.

I did some thinking in what could break - after this commit, we require
pam_unix to succeed, means we require `getent passwd $username` to
return something.
This is the case for all local users due to the passwd nss module, and
also the case for all modules installing their nss module to
nsswitch.conf - true for ldap (if not explicitly disabled) and sssd.

I'm not so sure about krb5, cc @eqyiel for opinions. Is there some nss
module loaded? Should the pam account module be placed before pam_unix?

We don't drop the `security.pam.services.<name?>.sssdStrictAccess`
option, as it's also used some lines below to tweak error behaviour
inside the pam sssd module itself (by changing it's 'control' field).

This is also required to get admin login for Google OS Login working
(#51566), as their pam_oslogin_admin accounts module takes care of sudo
configuration.
    @flokli
    flokli committed Dec 21, 2018

    Verified

    This commit was signed with the committer’s verified signature.
    yorickvP Yorick
    GPG key ID: A36E70F9DC014A15
    Verified
    Learn about vigilant mode
    Copy the full SHA
    d180bf3 View commit details

  2. Merge pull request #52488 from flokli/pam_account_unix_required 

    security.pam: make pam_unix.so required, not sufficient
    @flokli
    flokli authored Dec 21, 2018

    Verified

    This commit was signed with the committer’s verified signature.
    yorickvP Yorick
    GPG key ID: A36E70F9DC014A15
    Verified
    Learn about vigilant mode
    Copy the full SHA
    9c86e8f View commit details
Showing with 17 additions and 1 deletion.
  1. +16 −0 nixos/doc/manual/release-notes/rl-1903.xml
  2. +1 −1 nixos/modules/security/pam.nix
16 changes: 16 additions & 0 deletions nixos/doc/manual/release-notes/rl-1903.xml
View file
Original file line number Diff line number Diff line change
@@ -318,6 +318,22 @@
case.
</para>
</listitem>
<listitem>
<para>
The <literal>pam_unix</literal> account module is now loaded with its
control field set to <literal>required</literal> instead of
<literal>sufficient</literal>, so that later pam account modules that
might do more extensive checks are being executed.
Previously, the whole account module verification was exited prematurely
in case a nss module provided the account name to
<literal>pam_unix</literal>.
The LDAP and SSSD NixOS modules already add their NSS modules when
enabled. In case your setup breaks due to some later pam account module
previosuly shadowed, or failing NSS lookups, please file a bug. You can
get back the old behaviour by manually setting
<literal><![CDATA[security.pam.services.<name?>.text]]></literal>.
</para>
</listitem>
</itemizedlist>
</section>

2 changes: 1 addition & 1 deletion nixos/modules/security/pam.nix
View file
Original file line number Diff line number Diff line change
@@ -269,7 +269,7 @@ let
text = mkDefault
(''
# Account management.
account ${if cfg.sssdStrictAccess then "required" else "sufficient"} pam_unix.so
account required pam_unix.so
${optionalString use_ldap
"account sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false)