Bug#936027: libpam-script: Using "sufficient" prevents running post-auth modules

Matthijs Kooijman Thu, 29 Aug 2019 01:57:22 -0700

Package: libpam-script
Version: 1.1.9-4
Severity: normal

Hi,


I've just installed libpam-script, and noticed it uses "sufficient" in
its pam config lines. This results in e.g. the following common-auth on
my system:

  # here are the per-package modules (the "Primary" block)
  auth    sufficient                      pam_script.so
  auth    [success=1 default=ignore]      pam_unix.so nullok_secure 
try_first_pass
  # here's the fallback if no module succeeds
  auth    requisite                       pam_deny.so
  # prime the stack with a positive return value if there isn't one
  # already; this avoids us returning an error just because nothing sets
  # a success code since the modules above will each just jump around
  auth    required                        pam_permit.so
  # and here are more per-package modules (the "Additional" block)
  auth    optional                        pam_fscrypt.so
  auth    optional                        pam_cap.so
  # end of pam-auth-update config

IIUC, sufficient means to stop executing other modules if the script
succeeds. This is fine wrt other modules that do additional "primary"
authentication checks (e.g. only one of them needs to succeed), but
AFAICS this also prevents running additional modules (that typically run
after the primary modules (such as the fscrpt or cap modules above).

As you can see, the unix module uses a jump to skip any other primary
modules, rather than sufficient to skip *all* other modules. This is
something that pam-auth-update can apparently automatically handle.
Here's how this looks in /usr/share/pam-configs/unix:

  Name: Unix authentication
  Default: yes
  Priority: 256
  Auth-Type: Primary
  Auth:
          [success=end default=ignore]    pam_unix.so nullok_secure 
try_first_pass
  Auth-Initial:
          [success=end default=ignore]    pam_unix.so nullok_secure
  Account-Type: Primary
  Account:
          [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
  Account-Initial:
          [success=end new_authtok_reqd=done default=ignore]      pam_unix.so

Note the "success=end", which I assume to be autoreplaced with an appropriate 
value.

Gr.

Matthijs

-- System Information:
Debian Release: buster/sid
  APT prefers disco-updates
  APT policy: (990, 'disco-updates'), (990, 'disco-security'), (990, 
'disco-backports'), (990, 'disco'), (50, 'testing'), (50, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.0.0-25-generic (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libpam-script depends on:
ii  libc6     2.29-0ubuntu2
ii  libpam0g  1.3.1-5ubuntu1

libpam-script recommends no packages.

libpam-script suggests no packages.

-- no debconf information

Bug#936027: libpam-script: Using "sufficient" prevents running post-auth modules

Reply via email to