#6367: make dedicated sudo passwords -------------------------------------------------+------------------------- Reporter: weasel | Owner: anarcat Type: defect | Status: closed Priority: Medium | Milestone: Component: Internal Services/Tor Sysadmin Team | Version: Severity: Normal | Resolution: fixed Keywords: | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: -------------------------------------------------+------------------------- Changes (by anarcat):
* status: needs_review => closed * resolution: => fixed Comment: i reviewed the `pam_pwdfile.so` source code (specifically `pam_pwdfile.c`) and I believe the following line will be safe and sufficient: {{{ auth requisite pam_pwdfile.so pwdfile=/var/lib/misc/thishost /sudo-passwd }}} The full rationale is explained in the commit log: {{{ commit 713de23ae1d484d870239b5f30d595cc224d71b2 (origin/sudo-ldap, sudo- ldap) Author: Antoine Beaupré <anar...@debian.org> Date: Wed Oct 16 11:19:21 2019 -0400 use a standard keyword instead of closer coupling with pwdfile The rationale here is the interface with the pam module might change without notice. By explicitely coupling the expected return values of the module, we might inadvertedly misconfigure things. For example, the module configuration (authinfo_unavail=ignore, specifically) made it "fail open" (ie. return "ignore") if there was a configuration error (missing file or filename, locking error) while using the standard "requisite" will make it fail close (as default is "die"). We use "requisite" instead of "required" because the former will immediately return in case of failure, skipping the rest of the stack, instead of falling through. We do not skip in case of success, but that might allow us to do other password checks later. The default will be success anyways so that should be okay. }}} I have deployed this change with Puppet everywhere and sent an announcement about the deployment on tor-project@: https://lists.torproject.org/pipermail/tor- project/2019-October/002548.html this is therefore all done. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6367#comment:14> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs