[Bug 2048781] Re: [MIR] authd
We decided to remove the authd package in noble for the time being. The current implementation (in particular the one in the PAM module) is not up to our standard in terms of quality and what we are confortable to support in the long term. Rather than releasing as is and having risky SRUs in the future changing a large part of the implementation, we decided against this and rather polishing the code, securing it, adding even more tests and releasing all that as a new package SRUed to the 24.04 LTS in the coming months. That way, we won’t risk to regress any potential users and we will use an architecture we are more confortable supporting for the next 5/10 years of the LTS release. It means that when we reintroduce it, we will rerequest a new MIR too as the PAM module will largely change and we want to ensure we follow the process and quality standard we expect for the Ubuntu distribution. ** Changed in: authd (Ubuntu) Status: In Progress => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2048781 Title: [MIR] authd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/authd/+bug/2048781/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2048781] Re: [MIR] authd
Security review looking good (comments #23 & #21) and no required MIR TODOs (comment #12). Package has a team-bug-subscriber (~desktop-packages). Please move ahead and make the seed/dependency change to pull authd into main. ** Changed in: authd (Ubuntu) Status: Incomplete => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2048781 Title: [MIR] authd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/authd/+bug/2048781/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2048781] Re: [MIR] authd
Hi, I reviewed the internal/adapter module as requested by SE, everything seemed to be in order. The crypto they use seems to be correct and the standard lib is used. The code is structured as I would expect for an adapter. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2048781 Title: [MIR] authd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/authd/+bug/2048781/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2048781] Re: [MIR] authd
I believe this issue can be set to In Progress and is ready for promotion to main. @didrocks, @slyon: please ping me if anything is needed from Security. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2048781 Title: [MIR] authd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/authd/+bug/2048781/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2048781] Re: [MIR] authd
I am posting this Security MIR on behalf of Sudhakar Verma (@sudhackar) since he is out of the office. --- I reviewed authd 0.2.1 as checked into noble. This shouldn't be considered a full audit but rather a quick gauge of maintainability. authd is a service that builds cloud based authentication and MFA from clouds such as Open ID connect or Microsoft Azure / Entra ID. This is also a framework that will help create authentication broker services. - CVE History - no CVE found - Build-Depends - pam related libraries - libpam0g-dev - language runtimes - golang-go - dh-cargo - jq - protobuf-compiler - pre/post inst/rm scripts - add/remove authd to /etc/nsswitch.conf - init scripts - No - systemd units - Creates 'authd.service' - which is expected since this is a service to manage the authentication with a daemon - dbus services - No - setuid binaries - No - binaries in PATH - /usr/sbin/authd - sudo fragments - No - polkit files - No - udev rules - No - unit tests / autopkgtests - unit tests and autopkgtests are there and working quite fine - cron jobs - No - Build logs - some warnings from tests and autopkgtests but nothing major - Processes spawned - gpasswd is spawned to manage user - groups associations. The path seems to be hardcoded - Memory management - code is mostly go - some glue for handling native libs in rust and C but no problems seen there. The tests cover the cases well. - File IO - the daemon relies on a database file, config files and files related to user accounts - like /etc/group. The config files could be based in user's home, /etc - nothing concerning. Seems safe. - Logging - logrus is used - under vendor. Seems safe. - Environment variable usage - Used to enable debugging, PAM specific glue, DBUS etc. Seems safe. - Use of privileged functions - No - Use of cryptography / random number sources etc - RNG - uses crypto/rand from stdlib which is a CSPRNG. Seems safe. - Cryptography - Uses RSA from crypto/rsa - PKCS #1 and RFC 8017 for PAM side encryption. Seems safe. - Hashing - Only uses sha512 from crypto/sha512. Seems safe. - Use of temp files - only while testing. Seems safe. - Use of networking - All networking is done through unix sockets within PAM. Seems safe. - Use of WebKit - No. - Use of PolicyKit - No. - Any significant cppcheck results - No - Any significant Coverity results - No - Any significant shellcheck results - No. authd only has scripts which are used during building. - Any significant bandit results - No - Any significant govulncheck results - No - Any significant Semgrep results - go.grpc.security.grpc-server-insecure-connection - The connection is through a unix socket, so it's only accessible locally and is within PAM, so we are protected by the pam stack as well. - go.lang.security.audit.dangerous-exec-command - The command is static - 'gpasswd' as defined in defaultOptions, so this is an FP. authd is a daemon that implements managing user authentication and related services like MFA. It can be used to integrate with different auth providers with our own brokers by exposing a dbus interface. It maintains a database at runtime locally to handle user accounts. It also exposes NSS and PAM services over grpc. What this basically means is - authd is a complex project that talks to various services and exposes a few of its own - its stateful and is a daemon. It also handles authentication - one of the key foundation to security of a system. However the project looks good in terms of maintainability. There re plenty of integration, unit and end to end tests. The project is well documented, and is well maintained. The history looks clean and the maintainers are easy to approach and talk to. Security team ACK for promoting authd to main. ** Changed in: authd (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2048781 Title: [MIR] authd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/authd/+bug/2048781/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2048781] Re: [MIR] authd
I continued exploring this topic myself last week and was able to rely on a tool developed for this: https://github.com/coreos/cargo-vendor- filterer/. This tool is not ideal in the sense that: - it vendorize the whole content - then, it filters by replacing entire crates based on some filtering rules, like arch, platform or file exclusion. The replacement is done by empty module, and rechecksumming. So basically, cargo and rustc still thinks the crate is available, it just happens to be empty. Consequently, we wouldn’t know if we are impacted or not by security issue before manual checking. However, I see this as a step in the right direction, so I implemented this in authd: https://github.com/ubuntu/authd/pull/270/files. Here, we are filtering to only keep Linux platform, on all our supported architectures (which is tier 1 and 2 in Rust world). The benefit is that we are now able to remove our manual recheckshumming after purging the binary library archive files which are part of some crates. This tool run during the package source build. I would feel better if this was packaged and maintained in ubuntu (as this injects potentially some code), and part of our standard tooling. I will reach out the Rust maintainer for the incoming engineering sprint. I think we can still trust this repository as it’s part of a well-known organization with multi-decades open source famous maintainers. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2048781 Title: [MIR] authd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/authd/+bug/2048781/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2048781] Re: [MIR] authd
A centralized vendor-linter is the best longterm option. Toolchains needs more resources before they can provide a solution (FR-6859). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2048781 Title: [MIR] authd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/authd/+bug/2048781/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2048781] Re: [MIR] authd
We agreed during the MIR meeting that a generic tooling as part of debhelper would be the best way, didn’t we? See my arguments above different upstream policies in different source packages, where if we start introducing this in a per-package base, that would create divergences between projects. Does it make sense to have this centrally managed (by our Rust toolchain expert, ideally?). That way, we can go beyond trimming the windows crates, like tree shaking and so on? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2048781 Title: [MIR] authd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/authd/+bug/2048781/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2048781] Re: [MIR] authd
How about a debian/rules 'vendor' target that would run the crate vendor and then rm -rf the windows crates? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2048781 Title: [MIR] authd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/authd/+bug/2048781/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2048781] Re: [MIR] authd
Can we try to reduce the set of unneeded vendored dependencies, similar to how it is described here for Rust https://wiki.ubuntu.com/RustCodeInMain ? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2048781 Title: [MIR] authd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/authd/+bug/2048781/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2048781] Re: [MIR] authd
@jibel > can you point to the Debian Go packaging guidelines you're mentioning? https://go-team.pages.debian.net/packaging.html It is stated in the bug description: "- This package violates Debian Policy. It vendorizes various Go (in vendor/) and Rust libraries (in vendor_rust/). We are maintaining them up to date with dependabot in our upstream CI. The Go part is covered by the govulncheck security scanning on the Go version we are depending on and its vendored dependency." However there's no TODO wrt to that. Just the translations as a recommendation. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2048781 Title: [MIR] authd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/authd/+bug/2048781/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2048781] Re: [MIR] authd
Thanks @didrocks! I added a comment to the upstream cargo issue based on advice from toolchains and ~Rust [0]. This issue is also raised in ubuntu-mir [1]. I'll mention this at the next MIR meeting. [0] https://github.com/rust-lang/cargo/issues/11929#issuecomment-1960081509 [1] https://github.com/canonical/ubuntu-mir/issues/35 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2048781 Title: [MIR] authd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/authd/+bug/2048781/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs