Package: monkeysphere Version: 0.42-2 Severity: normal Tags: patch upstream
Dear Maintainer, When I install monkeysphere on a FreedomBox, I get the following error: Reading package lists... Done Building dependency tree Reading state information... Done Suggested packages: monkeysphere-validation-agent The following NEW packages will be installed: monkeysphere 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 0 B/78.0 kB of archives. After this operation, 280 kB of additional disk space will be used. Selecting previously unselected package monkeysphere. (Reading database ... 205917 files and directories currently installed.) Preparing to unpack .../monkeysphere_0.42-2_all.deb ... Unpacking monkeysphere (0.42-2) ... Setting up monkeysphere (0.42-2) ... ms: setting up Monkeysphere authentication trust core... su: Permission denied Failed running transition script /usr/share/monkeysphere/transitions/0.23 dpkg: error processing package monkeysphere (--configure): installed monkeysphere package post-installation script subprocess returned error exit status 1 Processing triggers for man-db (2.8.4-2+b1) ... Errors were encountered while processing: monkeysphere E: Sub-process /usr/bin/dpkg returned an error code (1) Further, publishing of keys fails as follows: root@mybox:/vagrant# monkeysphere-host publish D7D055DF04C101AC1885FC0BA31A54C879664ED1 Really publish key 'D7D055DF04C101AC1885FC0BA31A54C879664ED1' to pool.sks-keyservers.net? (Y/n) su: Permission denied This is due to following setting in /etc/security/access.conf which prohibits non-root users from logging into the system. -:ALL EXCEPT root fbx plinth (admin) (sudo):ALL We faced a similar issue with quassel-core package recently and the maintainer fixed it by using runuser instead of su. From what I gather from man pages, it should do the job here as expected. A patch is attached. runuser is part of util-linux and is an essential package on Debian. While all the tests pass, I am unable to ascertain the full impact of the change. -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.18.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_IN.UTF-8, LC_CTYPE=en_IN.UTF-8 (charmap=UTF-8), LANGUAGE=en_IN.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages monkeysphere depends on: ii adduser 3.118 ii gnupg 2.2.10-3 ii libcrypt-openssl-rsa-perl 0.31-1 ii lockfile-progs 0.1.18 ii perl [libdigest-sha-perl] 5.26.2-7+b1 Versions of packages monkeysphere recommends: pn agent-transfer <none> ii cron [cron-daemon] 3.0pl1-130 ii netcat-openbsd [netcat] 1.190-2 ii openssh-client 1:7.8p1-1 ii socat 1.7.3.2-2 pn ssh-askpass <none> Versions of packages monkeysphere suggests: ii msva-perl [monkeysphere-validation-agent] 0.9.2-1 -- no debconf information
>From 93b8d954d489e9b7096b91f82baf64d1bfd0273b Mon Sep 17 00:00:00 2001 From: Sunil Mohan Adapa <[email protected]> Date: Thu, 25 Oct 2018 14:43:57 -0700 Subject: [PATCH] Use runuser instead of su On systems with restricted PAM security, it may not possible to use su. --- src/monkeysphere-authentication | 2 +- src/monkeysphere-host | 2 +- src/share/common | 14 ++------------ 3 files changed, 4 insertions(+), 14 deletions(-) diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication index b3eb1e6..3223294 100755 --- a/src/monkeysphere-authentication +++ b/src/monkeysphere-authentication @@ -137,7 +137,7 @@ GNUPGHOME_SPHERE=${MONKEYSPHERE_GNUPGHOME_SPHERE:="${MADATADIR}/sphere"} CORE_KEYLENGTH=${MONKEYSPHERE_CORE_KEYLENGTH:="2048"} LOG_PREFIX=${MONKEYSPHERE_LOG_PREFIX:='ms: '} -# export variables needed in su invocation +# export variables needed for invoking command under monkeysphere user export DATE export LOG_LEVEL export KEYSERVER diff --git a/src/monkeysphere-host b/src/monkeysphere-host index 75895e9..089c2b6 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -360,7 +360,7 @@ PROMPT=${MONKEYSPHERE_PROMPT:=$PROMPT} GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${MHDATADIR}"} LOG_PREFIX=${MONKEYSPHERE_LOG_PREFIX:='ms: '} -# export variables needed in su invocation +# export variables needed for invoking command under monkeysphere user export DATE export LOG_LEVEL export KEYSERVER diff --git a/src/share/common b/src/share/common index 80ae88a..22c4d3e 100644 --- a/src/share/common +++ b/src/share/common @@ -98,26 +98,16 @@ su_monkeysphere_user() { # monkeysphere user, but without prompting for any sort of # authentication. If this is not possible, we should just fail. - # FIXME: our current implementation is overly restrictive, because - # there may be some su PAM configurations that would allow su - # "$MONKEYSPHERE_USER" -c "$@" to Just Work without prompting, - # allowing specific users to invoke commands which make use of - # this user. - - # chpst (from runit) would be nice to use, but we don't want to - # introduce an extra dependency just for this. This may be a - # candidate for re-factoring if we switch implementation languages. - case $(id -un) in # if monkeysphere user, run the command as a subshell "$MONKEYSPHERE_USER") ( "$@" ) ;; - # if root, su command as monkeysphere user + # if root, run command as monkeysphere user 'root') # requote arguments using bash builtin feature (see "help printf"): - su "$MONKEYSPHERE_USER" -s "$(which bash)" -c "$(printf "%q " "$@")" + runuser -u "$MONKEYSPHERE_USER" -- "$@" ;; # otherwise, fail -- 2.19.1

