Your message dated Mon, 7 Mar 2016 09:36:00 +0100
with message-id <[email protected]>
and subject line Re: Bug#816680: debian-security-support: postinst script hangs 
when /etc/pam.d/su optimized
has caused the Debian Bug report #816680,
regarding debian-security-support: postinst script hangs when /etc/pam.d/su 
optimized
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
816680: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816680
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: debian-security-support
Version: 2015.04.04~deb7u1
Severity: wishlist

Dear Maintainer,

postinst script takes the risk to call su to invoke check-support-status
as the user 'debian-security-support', but hangs when the line
'auth sufficient pam_rootok.so' is missing or disabled in /etc/pam.d/su.

To avoid possible configuration conflict and provide a hint to sysadmin
when postinst interfere with /etc/pam.d/su rules, please add a preinst
script to the package.

For example, the script debian-security-support.preinst could look
like this:

#!/bin/sh
## Check if /etc/pam.d/su allows root to login as another user
## without prompting for password. If no, abort installation logging an
## error to help sysadmin to fix the problem.

case $1 in
  install|upgrade)
  if ! grep -qE '^\s*auth\s+sufficient\s+pam_rootok\.so' /etc/pam.d/su;
  then
    echo "'auth sufficient pam_rootok.so' not found in /etc/pam.d/su" |\
    logger -st "/usr/bin/dpkg --configure $DPKG_MAINTSCRIPT_PACKAGE"
    exit 1
  fi
  ;;
esac

Regards,
Mederic Claassen

--- End Message ---
--- Begin Message ---
Hi,

On Sat, 05 Mar 2016, Aide Ordi 49 wrote:
> Is it a necessity that ulysses could login (and spoof) as penelope and
> telemachus without knowing their passwords, even if ulysses can browse
> their files? I don't think so and even the program runas.exe
> Microsoft Windows forbid that behaviour by default.

As soon as you have root powers, you can do that, even if you configure
PAM differently... because root can edit the PAM configuration, or just
compile a program that does the "setuid" call, or use sudo.

If someone has root rights, requiring a password for su is not going
to protect anyone from anything. It can only break your system like
you noticed.

I'm surprised that debian-security-support is the only package that broke
on you but I'm sure that we can find plenty other examples in the Debian
repositories.

> That's why I would prefer this login capability for root was not enabled
> in /etc/pam.d/su by default.

You know that the root user doesn't have to login to "penelope" to
change/read files of penelope without her noticing? Even create new
files... they can be "chown"'ed after their creation.

> What I say is just: maybe one day, another person will try to install
> debian-security-support after he has customized /etc/pam.d/su.
> In this case, a message via syslog or frontend provided by a preinst
> script could help when su make dpkg to freeze, especialy if that person
> have not enough skills to debug and understand what
> /var/lib/dpkg/info/debian-security-support.postinst do.

If that person doesn't have those skills, then they would not have edited
/etc/pam.d/su.

Anyway I'm going to close this ticket because while your suggestion was
full of good intent, in fact I believe that it's not a good idea. It
would be a needless complication.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

--- End Message ---

Reply via email to