Public bug reported:
If a configuration file in /usr/share/pam-configs has CRLF-style line
endings, pam-auth-update will silently fail with no errors.
I won't suggest that the config should allow CRLF line endings. But if a
file does have alternate line endings, the script should present an
error. As-is, there is no indication that the command failed unless you
manually inspect the generated configuration file. And then, there is no
hints as to what caused the config to not be accepted.
Example failure (pwquality is absent from common-password):
nate@localhost:/usr/share/pam-configs$ file pwquality
pwquality: ASCII text, with CRLF line terminators
nate@localhost:/usr/share/pam-configs$ sudo pam-auth-update --enable
pwquality
nate@localhost:/usr/share/pam-configs$ cat /etc/pam.d/common-password
[...]
# here are the per-package modules (the "Primary" block)
password required pam_pwhistory.so remember=400
password [success=2 default=ignore] pam_unix.so obscure use_authtok
try_first_pass yescrypt
password [success=1 default=ignore] pam_ldap.so minimum_uid=1000
try_first_pass
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
password optional pam_gnome_keyring.so
# end of pam-auth-update config
Example PASS:
nate@localhost:/usr/share/pam-configs$ file pwquality
pwquality: ASCII text
nate@localhost:/usr/share/pam-configs$ sudo pam-auth-update --enable
pwquality
nate@localhost:/usr/share/pam-configs$ cat /etc/pam.d/common-password
[...]
# here are the per-package modules (the "Primary" block)
password requisite pam_pwquality.so retry=3
enforce_for_root
password required pam_pwhistory.so remember=400 use_authtok
password [success=2 default=ignore] pam_unix.so obscure use_authtok
try_first_pass yescrypt
password [success=1 default=ignore] pam_ldap.so minimum_uid=1000
try_first_pass
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
password optional pam_gnome_keyring.so
# end of pam-auth-update config
Regardless of line ending style, the relevant config line still is added to
/var/lib/pam:
nate@localhost:/$ cat /var/lib/pam/password
Module: pwquality
requisite pam_pwquality.so retry=3 enforce_for_root
[...]
** Affects: pam (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2091659
Title:
pam-auth-update silently fails if a config file has CRLF line endings
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2091659/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
