#6367: make dedicated sudo passwords -------------------------------------------------+------------------------- Reporter: weasel | Owner: anarcat Type: defect | Status: | needs_review Priority: Medium | Milestone: Component: Internal Services/Tor Sysadmin Team | Version: Severity: Normal | Resolution: Keywords: | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: -------------------------------------------------+------------------------- Changes (by anarcat):
* status: assigned => needs_review Comment: couldn't do this yesterday as i was on vacation, and now it feels a bit late in the day to perform the change - i'd like to have time during the day to help people with problems if they happen. so i'm going to do this tomorrow morning instead. i've also notified the GR people specifically to see if this will cause any problems on their side. i've pushed the changes to a `sudo-ldap` branch on the puppetmaster, which is ready for review, but it's basically this patch set: {{{ From 20850426446dab13c090932d8dbb13ccaeeeb3da Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anar...@debian.org> Date: Tue, 15 Oct 2019 16:32:41 -0400 Subject: [PATCH 1/2] cleanup sudo's pam config: reuse common-auth The only difference was `try_first_pass` that is missing from common-auth, but considering we're going to remove that line anyways, it's worth keeping that refactoring separate in history. --- modules/sudo/files/pam | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/modules/sudo/files/pam b/modules/sudo/files/pam index 1621e8d3..05642199 100644 --- a/modules/sudo/files/pam +++ b/modules/sudo/files/pam @@ -5,9 +5,7 @@ #auth [authinfo_unavail=ignore success=done ignore=ignore default=die] pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd auth [authinfo_unavail=ignore success=done ignore=ignore default=ignore] pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd -auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass -auth requisite pam_deny.so -auth required pam_permit.so +@include common-auth @include common-account @include common-session-noninteractive -- 2.20.1 }}} {{{ From b4c21e7e31b89e8b89476f16da8eb6bdfc666123 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anar...@debian.org> Date: Tue, 15 Oct 2019 16:33:36 -0400 Subject: [PATCH 2/2] disable /etc/password for sudo access (see #6367) --- modules/sudo/files/pam | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/modules/sudo/files/pam b/modules/sudo/files/pam index 05642199..7e1ec366 100644 --- a/modules/sudo/files/pam +++ b/modules/sudo/files/pam @@ -3,9 +3,10 @@ ## #%PAM-1.0 -#auth [authinfo_unavail=ignore success=done ignore=ignore default=die] pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd -auth [authinfo_unavail=ignore success=done ignore=ignore default=ignore] pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd +# use the LDAP-derived password file for sudo access +auth [authinfo_unavail=ignore success=done ignore=ignore default=die] pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd -@include common-auth +# disable /etc/password for sudo authentication, see #6367 +#@include common-auth @include common-account @include common-session-noninteractive -- 2.20.1 }}} -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6367#comment:12> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs