Your message dated Thu, 24 Jan 2019 22:51:19 +0000
with message-id <[email protected]>
and subject line Bug#911907: fixed in monkeysphere 0.43-2
has caused the Debian Bug report #911907,
regarding monkeysphere: Install fails on systems with PAM login restrictions
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
911907: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911907
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: monkeysphere
Version: 0.42-2
Severity: normal
Tags: patch upstream
Dear Maintainer,
When I install monkeysphere on a FreedomBox, I get the following error:
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
monkeysphere-validation-agent
The following NEW packages will be installed:
monkeysphere
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/78.0 kB of archives.
After this operation, 280 kB of additional disk space will be used.
Selecting previously unselected package monkeysphere.
(Reading database ... 205917 files and directories currently installed.)
Preparing to unpack .../monkeysphere_0.42-2_all.deb ...
Unpacking monkeysphere (0.42-2) ...
Setting up monkeysphere (0.42-2) ...
ms: setting up Monkeysphere authentication trust core...
su: Permission denied
Failed running transition script /usr/share/monkeysphere/transitions/0.23
dpkg: error processing package monkeysphere (--configure):
installed monkeysphere package post-installation script subprocess returned
error exit status 1
Processing triggers for man-db (2.8.4-2+b1) ...
Errors were encountered while processing:
monkeysphere
E: Sub-process /usr/bin/dpkg returned an error code (1)
Further, publishing of keys fails as follows:
root@mybox:/vagrant# monkeysphere-host publish
D7D055DF04C101AC1885FC0BA31A54C879664ED1
Really publish key 'D7D055DF04C101AC1885FC0BA31A54C879664ED1' to
pool.sks-keyservers.net? (Y/n)
su: Permission denied
This is due to following setting in /etc/security/access.conf which prohibits
non-root users from logging into the system.
-:ALL EXCEPT root fbx plinth (admin) (sudo):ALL
We faced a similar issue with quassel-core package recently and the maintainer
fixed it by using runuser instead of su. From what I gather from man pages, it
should do the job here as expected. A patch is attached. runuser is part of
util-linux and is an essential package on Debian. While all the tests pass, I
am unable to ascertain the full impact of the change.
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.18.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IN.UTF-8, LC_CTYPE=en_IN.UTF-8 (charmap=UTF-8),
LANGUAGE=en_IN.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages monkeysphere depends on:
ii adduser 3.118
ii gnupg 2.2.10-3
ii libcrypt-openssl-rsa-perl 0.31-1
ii lockfile-progs 0.1.18
ii perl [libdigest-sha-perl] 5.26.2-7+b1
Versions of packages monkeysphere recommends:
pn agent-transfer <none>
ii cron [cron-daemon] 3.0pl1-130
ii netcat-openbsd [netcat] 1.190-2
ii openssh-client 1:7.8p1-1
ii socat 1.7.3.2-2
pn ssh-askpass <none>
Versions of packages monkeysphere suggests:
ii msva-perl [monkeysphere-validation-agent] 0.9.2-1
-- no debconf information
>From 93b8d954d489e9b7096b91f82baf64d1bfd0273b Mon Sep 17 00:00:00 2001
From: Sunil Mohan Adapa <[email protected]>
Date: Thu, 25 Oct 2018 14:43:57 -0700
Subject: [PATCH] Use runuser instead of su
On systems with restricted PAM security, it may not possible to use su.
---
src/monkeysphere-authentication | 2 +-
src/monkeysphere-host | 2 +-
src/share/common | 14 ++------------
3 files changed, 4 insertions(+), 14 deletions(-)
diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication
index b3eb1e6..3223294 100755
--- a/src/monkeysphere-authentication
+++ b/src/monkeysphere-authentication
@@ -137,7 +137,7 @@
GNUPGHOME_SPHERE=${MONKEYSPHERE_GNUPGHOME_SPHERE:="${MADATADIR}/sphere"}
CORE_KEYLENGTH=${MONKEYSPHERE_CORE_KEYLENGTH:="2048"}
LOG_PREFIX=${MONKEYSPHERE_LOG_PREFIX:='ms: '}
-# export variables needed in su invocation
+# export variables needed for invoking command under monkeysphere user
export DATE
export LOG_LEVEL
export KEYSERVER
diff --git a/src/monkeysphere-host b/src/monkeysphere-host
index 75895e9..089c2b6 100755
--- a/src/monkeysphere-host
+++ b/src/monkeysphere-host
@@ -360,7 +360,7 @@ PROMPT=${MONKEYSPHERE_PROMPT:=$PROMPT}
GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${MHDATADIR}"}
LOG_PREFIX=${MONKEYSPHERE_LOG_PREFIX:='ms: '}
-# export variables needed in su invocation
+# export variables needed for invoking command under monkeysphere user
export DATE
export LOG_LEVEL
export KEYSERVER
diff --git a/src/share/common b/src/share/common
index 80ae88a..22c4d3e 100644
--- a/src/share/common
+++ b/src/share/common
@@ -98,26 +98,16 @@ su_monkeysphere_user() {
# monkeysphere user, but without prompting for any sort of
# authentication. If this is not possible, we should just fail.
- # FIXME: our current implementation is overly restrictive, because
- # there may be some su PAM configurations that would allow su
- # "$MONKEYSPHERE_USER" -c "$@" to Just Work without prompting,
- # allowing specific users to invoke commands which make use of
- # this user.
-
- # chpst (from runit) would be nice to use, but we don't want to
- # introduce an extra dependency just for this. This may be a
- # candidate for re-factoring if we switch implementation languages.
-
case $(id -un) in
# if monkeysphere user, run the command as a subshell
"$MONKEYSPHERE_USER")
( "$@" )
;;
- # if root, su command as monkeysphere user
+ # if root, run command as monkeysphere user
'root')
# requote arguments using bash builtin feature (see "help printf"):
- su "$MONKEYSPHERE_USER" -s "$(which bash)" -c "$(printf "%q " "$@")"
+ runuser -u "$MONKEYSPHERE_USER" -- "$@"
;;
# otherwise, fail
--
2.19.1
--- End Message ---
--- Begin Message ---
Source: monkeysphere
Source-Version: 0.43-2
We believe that the bug you reported is fixed in the latest version of
monkeysphere, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Kahn Gillmor <[email protected]> (supplier of updated monkeysphere
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 24 Jan 2019 17:08:16 -0500
Source: monkeysphere
Binary: monkeysphere agent-transfer
Architecture: source
Version: 0.43-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Privacy Tools Maintainers
<[email protected]>
Changed-By: Daniel Kahn Gillmor <[email protected]>
Description:
agent-transfer - copy a secret key from GnuPG's gpg-agent to OpenSSH's
ssh-agent
monkeysphere - leverage the OpenPGP web of trust for SSH and TLS authentication
Closes: 656750 897366 901489 906755 911907
Changes:
monkeysphere (0.43-2) unstable; urgency=medium
.
* Autopkgtest should cover Ed25519 as well
* cherry-pick three upstream testing patches
.
monkeysphere (0.43-1) unstable; urgency=medium
.
* New upstream release
.
[ Sunil Mohan Adapa ]
* Improvements in TMPDIR handling (Closes: #656750, #911907)
* Remove shell for monkeysphere user (Closes: #901489)
.
[ Daniel Kahn Gillmor ]
* Avoid paranoid accidental lockout (Closes: #897366)
* Better error reporting for pem2openpgp (Closes: #906755)
* Bump standards-version to 4.3.0 (no changes needed)
* Move to debhelper 12
* Use https for upstream links
* Use https for wiki.debian.org
* d/control: use ${perl:Depends} for monkeysphere
* d/control: document versioned GnuPG dependency from upstream
* d/control: explicitly depend on openssh-client for ssh-keygen
* Note RSA and Ed25519 keys in agent-transfer description
* Tell debhelper where examples come from
* Avoid dh_missing reporting Changelog as "not installed"
* use dh_missing --fail-missing
Checksums-Sha1:
65e02a609d881a6162efab554fc5c3fbc5a5540b 2163 monkeysphere_0.43-2.dsc
c88734f6cafcb77463f5ad1e125780248146078a 111784 monkeysphere_0.43.orig.tar.gz
83666038d79181975aa67939ef8b9ad4c009dc90 8168 monkeysphere_0.43-2.debian.tar.xz
89d8e6e57cc6737c58f8af0a7a52a2c3ffbe73b8 11642
monkeysphere_0.43-2_source.buildinfo
Checksums-Sha256:
bf6252522ddec551efc18a38045c607ead8b79eb7cceab641e7f77cc9b6b1426 2163
monkeysphere_0.43-2.dsc
80e12635ae7ad0c9ab8202eb65074dca67504a5438970f5aad67e172f7c527a2 111784
monkeysphere_0.43.orig.tar.gz
03fb80d214efb5f5013fde48b80a576227ff7089971c744dcc649d482acbf9eb 8168
monkeysphere_0.43-2.debian.tar.xz
daa5023389b56f94f0890c3550dd12c1500089704a211df0825f5144c3635488 11642
monkeysphere_0.43-2_source.buildinfo
Files:
8cbcc2ce75fe0385a099a6d803bd9af7 2163 net optional monkeysphere_0.43-2.dsc
a91cff026a5f07b3c35fb0e1da1c1d0a 111784 net optional
monkeysphere_0.43.orig.tar.gz
aeb894750dc7488db8fd9f1348919eaf 8168 net optional
monkeysphere_0.43-2.debian.tar.xz
f916984f08fea52cf1f21bcea01c2b66 11642 net optional
monkeysphere_0.43-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEexZCBNCWcjsBljWrPqHd3bJh2XsFAlxKPI0ACgkQPqHd3bJh
2XvREwf/U1IlxZ5a/3WtX1XUDaJaCY6oS47lTJ78J59GgeFGeVMgLhHWZWeo1e9p
2FxeFmeBAs8dm+3zyDC4VbJ1XTRpjepxIuNnFmfS16WlhMjTRu4sKI+vBYuN2aTJ
AyauwnE8ddK5l66erWEFOOFK+GwZAwhb/7OIFO507+/MRb+5fyCLks0u8tiw5bkt
qlhsmFF/ITBTStmxXLw/fpYL9LQ/O2Cv1+0sIvZ3OorFWWcDM8aoMK3ZkiqKDO3x
llXyqV+6PERf8FVK5IQtp1tAjW7xHLsUl6Ob+N46LUHHppbYTu5kVD0+tXJ6UtD4
68sg8IGteEf3/QKVGm6XldstjQGfnw==
=C4va
-----END PGP SIGNATURE-----
--- End Message ---
