[MIR] authd
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
authd (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
[Availability]
- The package authd is already in Ubuntu universe.
- The package authd build for the architectures it is designed to work on.
- It currently builds and works for architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x
- Link to package https:/
[Rationale]
- Authd is the foundation for cloud-based authentication and MFA support on Ubuntu and identity providers such as Open ID connect or Microsoft Azure / Entra ID. This package also enables partners to create their own authentication brokers.
- The package authd is required to be in main for enabling cloud authentication at provisioning time.
- The package authd will generally be useful for corporate users.
- No package in main or universe currently offers cloud authentication capabilities.
- The target release is the next LTS 24.04 LTS.
[Security]
- This is a new software developed and maintained by Canonical. It has no security history.
- No CVEs/security issues in this software in the past (There are false positives. authd is an authentication daemon for Junos and VMWare):
- (0) https:/
- (0) https:/
- (0) https:/
- no `suid` or `sgid` binaries
- Package does install a dpkg trigger on /usr/lib/linux/efi
- Packages does not open privileged ports (ports < 1024)
- Packages does not contain extensions to security-sensitive software
- It installs a service in /usr/sbin/authd, running as root. The service has some systemd confinement.
- It installs a PAM module
- It installs an NSS module.
- Communication between authd and its brokers is done over DBus
- Communication between the pam/nss module and authd are done over a local DBus socket (socket activated service), using grpc.
- Security has been kept in mind and common isolation/
- /!\ This requires a security review.
[Quality assurance - function/usage]
- The package needs post install configuration and reading of documentation. - There isn't a safe default because the administrator must configure the selected authentication broker corresponding to their identity providers.
- Once installed without additional configuration, PAM requests are ignored by authd.
[Quality assurance - maintenance]
- The Ubuntu Desktop team (~desktop-packages) maintains this package. It doesn’t have any long-term and critical, open bugs:
- https:/
- https:/
[Quality assurance - testing]
- There is a comprehensive, non-trivial, testsuite. The testsuite includes integration and functional tests.
- The testsuite runs at build time. The branch coverage is 89%:
- https:/
- https:/
- The same test suite runs as autopkgtest. It is passing on all supported architectures. Links to test logs:
- https:/
- arm64 tests are flaky due to a Rust regression that makes the build very slow and timing out.
- Currently, autopkgtests and package build are skipping integration tests (because it needs a VHS binary). We are working on bringing it before the 24.04 release with a mock ttyd so that we can run them there too.
- Upstream CI also includes code sanity checks (golangci-lint, including gosec) and vulnerability scanning (govulneck).
[Quality assurance - packaging]
- There is no debian/watch because authd is a native package.
debian/control defines a correct Maintainer field:
Maintainer: Ubuntu Developers <email address hidden>
- This package does not yield massive lintian Warnings, Errors
```
$ lintian --pedantic --tag-display-limit 0
W: authd-dbgsym: debug-file-
W: authd: no-manual-page [usr/sbin/authd]
P: authd: spelling-
```
- spelling-
- Lintian overrides package-
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default. The package is installed during provisioning if the user explicitly selects it. In this case, they’ll have to also select an identity provider and questions will be asked.
- Packaging and build is easy:
- https:/
[UI standards]
- Application is not end-user facing, one string is translatable, via standard intltool/gettext or similar build and runtime internationaliz
pam/
- Most of the translated strings will come from the different brokers (separate projects)
- The system for internationaliz
[Dependencies]
- No further depends or recommends dependencies that are not yet in main.
[Standards compliance]
- This package correctly follows FHS
- This package violates Debian Policy. It vendorizes various Go (in vendor/) and Rust libraries (in vendor_rust/). We are maintaining them up to date with dependabot in our upstream CI. The Go part is covered by the govulncheck security scanning on the Go version we are depending on and its vendored dependency.
[Maintenance/Owner]
- The owning team will be desktop-packages and I have their acknowledgement for that commitment
- The team desktop-packages is subscribed.
- The team desktop-packages is aware of the implications by a static build and commits to test no-change-rebuilds and to fix any issues found for the lifetime of the release (including ESM).
- The team desktop-packages is aware of the implications of vendored code and (as alerted by the security team) commits to provide updates to the security team for any affected vendored code for the lifetime of the release (including ESM).
- This package (NSS module) is Rust based and vendors all non language-runtime dependencies.
[Background information]
- The Package description explains the package well.
- Upstream Name is authd.
- Link to upstream project https:/
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in authd (Ubuntu): | |
assignee: | nobody → Ioanna Alifieraki (joalif) |
Vendored packaging is required for Go and Rust, but does not scale well for maintenance. There is a lot of vendored code in this package.
Is Security responsible for monitoring all 190 vendored packages for CVEs? Is Security responsible for resolving vulnerabilities in every vendored package?
Security could monitor CVE assignments to vendored packages and alert owning teams. I believe owning teams need to own vendored package maintenance. Otherwise the scaling nature of vendored packages falls on Security and will not be sustainable. After Security's CVE intake, owning team would need to set the affected status of CVEs in vendored packages.
Are there unnecessary dependencies in this package? Should we package or maintain ./vendor_rust/win* ?
What is Security's responsibility in reviewing dependencies during an MIR? If we don't review each package there is an MIR loop-hole to avoid security concerns. We cannot perform a security review of 191 packages by 24.04.
Please see the vendored discussion on ubuntu-mir [0], particularly the comment about [1] `cargo vendor` causing unnecessary vendoring.
eslerm@ mino:~/ audits/ authd/noble/ authd-0. 2$ ls vendor_rust/ vendor/*/ |wc -l
190
[0] https:/ /github. com/canonical/ ubuntu- mir/issues/ 35 /github. com/canonical/ ubuntu- mir/issues/ 35#issuecomment -1859325671
[1] https:/
edit: owning team already stated they are "commit[ed] to provide [vendor] updates to the security team" :)
As a debdiff for Security to sponsor, that sounds great \o/