[tor-bugs] #6367 [Internal Services/Tor Sysadmin Team]: make dedicated sudo passwords

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Oct 16 15:49:22 UTC 2019


#6367: make dedicated sudo passwords
-------------------------------------------------+-------------------------
 Reporter:  weasel                               |          Owner:  anarcat
     Type:  defect                               |         Status:  closed
 Priority:  Medium                               |      Milestone:
Component:  Internal Services/Tor Sysadmin Team  |        Version:
 Severity:  Normal                               |     Resolution:  fixed
 Keywords:                                       |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by anarcat):

 * status:  needs_review => closed
 * resolution:   => fixed


Comment:

 i reviewed the `pam_pwdfile.so` source code (specifically `pam_pwdfile.c`)
 and I believe the following line will be safe and sufficient:

 {{{
 auth    requisite        pam_pwdfile.so pwdfile=/var/lib/misc/thishost
 /sudo-passwd
 }}}

 The full rationale is explained in the commit log:

 {{{
 commit 713de23ae1d484d870239b5f30d595cc224d71b2 (origin/sudo-ldap, sudo-
 ldap)
 Author: Antoine Beaupré <anarcat at debian.org>
 Date:   Wed Oct 16 11:19:21 2019 -0400

     use a standard keyword instead of closer coupling with pwdfile

     The rationale here is the interface with the pam module might change
     without notice. By explicitely coupling the expected return values of
     the module, we might inadvertedly misconfigure things.

     For example, the module configuration (authinfo_unavail=ignore,
     specifically) made it "fail open" (ie. return "ignore") if there was a
     configuration error (missing file or filename, locking error) while
     using the standard "requisite" will make it fail close (as default is
     "die").

     We use "requisite" instead of "required" because the former will
     immediately return in case of failure, skipping the rest of the stack,
     instead of falling through. We do not skip in case of success, but
     that might allow us to do other password checks later. The default
     will be success anyways so that should be okay.
 }}}

 I have deployed this change with Puppet everywhere and sent an
 announcement about the deployment on tor-project@:

 https://lists.torproject.org/pipermail/tor-
 project/2019-October/002548.html

 this is therefore all done.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6367#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list