[tor-bugs] #6367 [Internal Services/Tor Sysadmin Team]: make dedicated sudo passwords
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Oct 16 05:49:41 UTC 2019
#6367: make dedicated sudo passwords
-------------------------------------------------+-------------------------
Reporter: weasel | Owner: anarcat
Type: defect | Status:
| needs_review
Priority: Medium | Milestone:
Component: Internal Services/Tor Sysadmin Team | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by weasel):
Replying to [comment:12 anarcat]:
> {{{
>
> -#auth [authinfo_unavail=ignore success=done ignore=ignore default=die]
pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd
> -auth [authinfo_unavail=ignore success=done ignore=ignore
default=ignore] pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd
> +# use the LDAP-derived password file for sudo access
> +auth [authinfo_unavail=ignore success=done ignore=ignore default=die]
pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd
>
> - at include common-auth
> +# disable /etc/password for sudo authentication, see #6367
> +#@include common-auth
> @include common-account
> @include common-session-noninteractive
> }}}
I'm not convined. Having `authinfo_unavail=ignore` and `ignore=ignore`
without an explicit next item on the auth stack seems fishy.
Here's what Debian does, and I think it's sane:
{{{
auth [authinfo_unavail=ignore success=done ignore=ignore default=die]
pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd
auth required pam_unix.so nullok_secure try_first_pass
}}}
This does auth against `pam_pwdfile`, and only if an entry is not there do
we fall back to `pam_unix`. Either that or a flat out deny seems like a
good idea.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6367#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list