Bug#905710: PATCH: News.Debian and su.1 (Was Re: util-linux: "su: revoking keys needs to be documented')

2018-08-08 Thread Andreas Henriksson 
Control: tags -1 = pending

On Thu, Aug 09, 2018 at 09:05:54AM +0530, Kapil Hari Paranjape wrote:
> Hello,
> 
> On Wed, 08 Aug 2018, Andreas Henriksson wrote:
> > Please do feel free to write something up and send it as a merge
> > request! Your contribution will be very appreciated! I'll offer to
> > review them once I find time for it.
> 
> I am attaching patches for "News.Debian" and "su.1".
> 
> In my opinion this should be adequate documentation of the changes.

Thanks alot for your contributions!

I've massaged the NEWS part to apply and pushed it to the git repo.

Comments regarding the su(1) part:
- this is for upstream, please submit it there directly following the
  documented submission procedure if you want them to review it.
- I don't think what you wrote there is accurate. The su(1) binary
  does no such thing, it's the pam configuration you're talking about
  which is not part of util-linux upstream at all.

FYI the su-l pam config was copied from Fedora.

Regards,
Andreas Henriksson

Bug#905710: PATCH: News.Debian and su.1 (Was Re: util-linux: "su: revoking keys needs to be documented')

2018-08-08 Thread Kapil Hari Paranjape 
Hello,

On Wed, 08 Aug 2018, Andreas Henriksson wrote:
> Please do feel free to write something up and send it as a merge
> request! Your contribution will be very appreciated! I'll offer to
> review them once I find time for it.

I am attaching patches for "News.Debian" and "su.1".

In my opinion this should be adequate documentation of the changes.

Regards,

Kapil.
--

--- NEWS.Debian.orig	2018-08-09 08:46:41.536831490 +0530
+++ NEWS.Debian	2018-08-09 08:49:59.515824839 +0530
@@ -11,7 +11,8 @@
 even in 'preserve environment' mode.
   - su '' (empty user string) used to give root, but now returns an error.
   - previously su only had one pam config, but now 'su -' is configured
-separately in /etc/pam.d/su-l
+separately in /etc/pam.d/su-l. This file additionally invokes
+'pam_keyinit' to revoke the session keyring.
 
   The first difference is probably the most user visible one. Doing
   plain 'su' is a really bad idea for many reasons, so using 'su -' is
--- su.1.orig	2018-08-09 08:47:43.991829392 +0530
+++ su.1	2018-08-09 08:54:31.889815688 +0530
@@ -81,6 +81,11 @@
 .B TERM
 .TP
 o
+revokes the session keyring using the
+.BR pam_keyinit (8)
+module.
+.TP
+o
 initializes the environment variables
 .BR HOME ,
 .BR SHELL ,