pam's nullok_secure seems to break pbuilder build

Automatically imported from Debian bug report #330291 http://bugs.debian.org/330291

Message-Id: <email address hidden>
Date: Tue, 27 Sep 2005 18:36:32 +0900
From: Horms <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: pam's nullok_secure seems to break pbuilder build

Package: pbuilder
Version: 0.131
Severity: important

Hi,

I recently noticed that when runing pbuilder build, it fails as
it calls su internally. I tracked this down to su wanting a password,
and futher tracked this to pam using nullok_secure, wheras nullok works,
I guess we aren't coming from a secure tty.

In any case, I found the following hook allows pbuilder build
to work, I'm not sure what a good longer term solution is.

--- begin E00nullok ---
#!/bin/bash
#E00nullok

cat > /etc/pam.d/common-auth << __EOF__
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# nullok_secure does not seem to work when pbuilder calls su
#auth required pam_unix.so nullok_secure
auth required pam_unix.so nullok
__EOF__
--- end E00nullok ---

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686-smp
Locale: LANG=ja_JP.eucJP, LC_CTYPE=ja_JP.eucJP (charmap=EUC-JP) (ignored: LC_ALL set to ja_JP.eucJP)

Versions of packages pbuilder depends on:
ii cdebootstrap 0.3.8 Bootstrap a Debian system
ii coreutils 5.2.1-2.1 The GNU core utilities
ii debianutils 2.14.3 Miscellaneous utilities specific t
ii gcc 4:4.0.1-3 The GNU C compiler
ii wget 1.10.1-1 retrieves files from the web

Versions of packages pbuilder recommends:
ii devscripts 2.9.7 Scripts to make the life of a Debi
ii fakeroot 1.5.1 Gives a fake root environment
ii sudo 1.6.8p9-2 Provide limited super user privile

-- no debconf information

Message-ID: <87slvqybbx.dancerj%<email address hidden>>
Date: Tue, 27 Sep 2005 20:55:14 +0900
From: Junichi Uekawa <email address hidden>
To: Horms <email address hidden>,
 <email address hidden>
Subject: Re: Bug#330291: pam's nullok_secure seems to break pbuilder build

Hi,

> I recently noticed that when runing pbuilder build, it fails as
> it calls su internally. I tracked this down to su wanting a password,
> and futher tracked this to pam using nullok_secure, wheras nullok works,
> I guess we aren't coming from a secure tty.

I don't seem to be able to reproduce this particular problem;
what's causing this?

Hmmm:
http://archives.neohapsis.com/archives/pam-list/2005-08/0014.html

So, /etc/securetty somewhere (possibly inside the chroot)
is not what pam wants.

I have one problem in that pbuilder will feed it with < /dev/null,
and that's not a tty, according to tty command,

$ tty < /dev/null
not a tty

regards,
 junichi

Message-ID: <87achxz8xx.dancerj%<email address hidden>>
Date: Wed, 28 Sep 2005 21:13:46 +0900
From: Junichi Uekawa <email address hidden>
To: Andreas Tille <email address hidden>, <email address hidden>, Horms <email address hidden>,
 <email address hidden>, <email address hidden>
Cc: Debian Developers <email address hidden>
Subject: Re: Authentication problem with pbuilder

Hi,

> Extracting source
> Password: su: Authentication failure
> Sorry.
> pbuilder: Failed extracting the source
> -> Aborting with an error
> -> unmounting dev/pts filesystem
> ...
>
>
> I guess I have to set a further sudo permission here but for what program?
> It is 'sudo su' ? I would not really like this even if it is convinient.
>

I've tracked the problem down to the fact that
/etc/pam.d/su no longer exists with a clean install
since around yesterday.
Upgraded systems continue to work since /etc/pam.d/su
already exists.

Without /etc/pam.d/su, root running su will be asked
for a password.

I'm suspecting either of

login 1:4.0.12-2 -> 1:4.0.12-3
pam 0.76-23->0.79-1

regards,
 junichi

Message-Id: <Pine.LNX.4.62.0509281426400.8343@wr-linux02>
Date: Wed, 28 Sep 2005 14:31:24 +0200 (CEST)
From: Andreas Tille <email address hidden>
To: Junichi Uekawa <email address hidden>
cc: <email address hidden>, Horms <email address hidden>,
 <email address hidden>, <email address hidden>,
 Debian Developers <email address hidden>
Subject: Re: Authentication problem with pbuilder

On Wed, 28 Sep 2005, Junichi Uekawa wrote:

> I've tracked the problem down to the fact that
> /etc/pam.d/su no longer exists with a clean install
> since around yesterday.
> Upgraded systems continue to work since /etc/pam.d/su
> already exists.

Nice that you found an issue. On the other hand my system was
installed about 10 months ago and I only upgraded. I'm more or
less using an up to date testing system with the exception of some
packages from sid.

> Without /etc/pam.d/su, root running su will be asked
> for a password.

This is not the case. I can su to any user (including root) without
password if I'm logged in as root.

> I'm suspecting either of
>
> login 1:4.0.12-2 -> 1:4.0.12-3

    login 4.0.3-35
(without any changes to /etc/pam.d/su)

> pam 0.76-23->0.79-1

Not installed on the system in question.

Kind regards

          Andreas.

--
http://fam-tille.de

Message-ID: <878xxhz7r8.dancerj%<email address hidden>>
Date: Wed, 28 Sep 2005 21:39:23 +0900
From: Junichi Uekawa <email address hidden>
To: Junichi Uekawa <email address hidden>,
 <email address hidden>
Cc: Andreas Tille <email address hidden>, Horms <email address hidden>, <email address hidden>,
 <email address hidden>, Debian Developers <email address hidden>,
 <email address hidden>
Subject: Re: Bug#330291: Authentication problem with pbuilder

tags 330291 +patch
reassign 330291 login
severity 330291 serious
thanks

Hi,

> > Extracting source
> > Password: su: Authentication failure
> > Sorry.
> > pbuilder: Failed extracting the source
> > -> Aborting with an error
> > -> unmounting dev/pts filesystem
> > ...
> >
> >
> > I guess I have to set a further sudo permission here but for what program?
> > It is 'sudo su' ? I would not really like this even if it is convinient.
> >
>
> I've tracked the problem down to the fact that
> /etc/pam.d/su no longer exists with a clean install
> since around yesterday.
> Upgraded systems continue to work since /etc/pam.d/su
> already exists.
>
> Without /etc/pam.d/su, root running su will be asked
> for a password.
>
> I'm suspecting either of
>
> login 1:4.0.12-2 -> 1:4.0.12-3
> pam 0.76-23->0.79-1

I've tracked it down to shadow; I think this is the required patch.

diff -urN shadow-4.0.12-orig/debian/login.su.pam shadow-4.0.12/debian/login.su.pam
--- shadow-4.0.12-orig/debian/login.su.pam 1970-01-01 09:00:00.000000000 +0900
+++ shadow-4.0.12/debian/login.su.pam 2005-09-28 21:16:25.598938168 +0900
@@ -0,0 +1,45 @@
+#
+# The PAM configuration file for the Shadow `su' service
+#
+
+# Uncomment this to force users to be a member of group root
+# before they can use `su'. You can also add "group=foo" to
+# to the end of this line if you want to use a group other
+# than the default "root".
+# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
+# auth required pam_wheel.so
+
+# Uncomment this if you want wheel members to be able to
+# su without a password.
+# auth sufficient pam_wheel.so trust
+
+# Uncomment this if you want members of a specific group to not
+# be allowed to use su at all.
+# auth required pam_wheel.so deny group=nosu
+
+# This allows root to su without passwords (normal operation)
+auth sufficient pam_rootok.so
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restrainst on su usage.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account requisite pam_time.so
+
+# This module parses /etc/environment (the standard for setting
+# environ vars) and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+# (Replaces the `ENVIRON_FILE' setting from login.defs)
+auth required pam_env.so
+
+# The standard Unix authentication modules, used with
+# NIS (man nsswitch) as well as normal /etc/passwd and
+# /etc/shadow entries.
+@include common-auth
+@include common-account
+@include common-session
+
+# Sets up user limits, please uncomment and read /etc/security/limits.conf
+# to enable this functionality.
+# (Replaces the use of /et...

Message-ID: <871x39z79q.dancerj%<email address hidden>>
Date: Wed, 28 Sep 2005 21:49:53 +0900
From: Junichi Uekawa <email address hidden>
To: Junichi Uekawa <email address hidden>,
 <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#330291: Authentication problem with pbuilder

retitle 330291 missing /etc/pam.d/su from login package
thanks

Let us retitle this bugreport, so that is looks more correct.

amicablement,
 junichi

--
Junichi Uekawa, Debian Developer http://www.netfort.gr.jp/~dancer/
183A 70FC 4732 1B87 57A5 CE82 D837 7D4E E81E 55C1

Message-ID: <email address hidden>
Date: Wed, 28 Sep 2005 15:55:31 +0200
From: Nicolas =?iso-8859-1?Q?Fran=E7ois?= <email address hidden>
To: Junichi Uekawa <email address hidden>, <email address hidden>
Subject: Re: Bug#330291: Authentication problem with pbuilder

tags 330291 pending
thanks

Committed.
Thanks for noticying and for the patch.

Kind Regards,
--
Nekral

Message-ID: <email address hidden>
Date: Wed, 28 Sep 2005 19:14:52 +0200
From: Christian Perrier <email address hidden>
To: <email address hidden>
Cc: Junichi Uekawa <email address hidden>
Subject: Re: [Pkg-shadow-devel] Bug#330291: Authentication problem with pbuilder

Quoting Nicolas Fran=E7ois (<email address hidden>):
> tags 330291 pending
> thanks
>=20
> Committed.
> Thanks for noticying and for the patch.

I'm building 4.0.12-4 with Junichi's patch.

/me slams self for bad use of dh_installpam in his attempts to make
debian/rules a little bit less messy..:-|

Thanks, Junichi for the quick fix.

Message-Id: <email address hidden>
Date: Wed, 28 Sep 2005 11:02:26 -0700
From: Christian Perrier <email address hidden>
To: <email address hidden>
Subject: Bug#330291: fixed in shadow 1:4.0.12-4

Source: shadow
Source-Version: 1:4.0.12-4

We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive:

login_4.0.12-4_i386.deb
  to pool/main/s/shadow/login_4.0.12-4_i386.deb
passwd_4.0.12-4_i386.deb
  to pool/main/s/shadow/passwd_4.0.12-4_i386.deb
shadow_4.0.12-4.diff.gz
  to pool/main/s/shadow/shadow_4.0.12-4.diff.gz
shadow_4.0.12-4.dsc
  to pool/main/s/shadow/shadow_4.0.12-4.dsc

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Perrier <email address hidden> (supplier of updated shadow package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 27 Sep 2005 07:20:44 +0200
Source: shadow
Binary: login passwd
Architecture: source i386
Version: 1:4.0.12-4
Distribution: unstable
Urgency: low
Maintainer: Shadow package maintainers <email address hidden>
Changed-By: Christian Perrier <email address hidden>
Description:
 login - system login tools
 passwd - change and administer password and group data
Closes: 330291 330338 330526
Changes:
 shadow (1:4.0.12-4) unstable; urgency=low
 .
   * The "Epoisses" release
   * Debian packaging fixes:
     - debian/control:
       Add a few more Replaces for broken manpages-xx packages
       which provide random man pages for software they don't
       provide. Closes: #330526, #330338
   * Use dh_installpam correctly so that /etc/pam.d/su really exists
     Closes: #330291
   * Change section to admin because of the restructuration of the "base"
     section by the ftpmasters
Files:
 ff35dad725715808f34c8a6f1dc4cd36 867 admin required shadow_4.0.12-4.dsc
 2d2db4c654c0f90017c8695dfebf0a5a 627869 admin required shadow_4.0.12-4.diff.gz
 d701e656e0271c7772a7fd786f703a72 525000 admin required passwd_4.0.12-4_i386.deb
 667bced40909e9fd34a5c1eb400dc688 489604 admin required login_4.0.12-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDOtUd1OXtrMAUPS0RAnPPAJ47zYqbloY7dkOz/oNXSSzcIYQRSQCfX4wD
rYiAg8v6cJbNt2AOHLnTYis=
=l0u5
-----END PGP SIGNATURE-----

Message-Id: <email address hidden>
Date: Wed, 28 Sep 2005 11:17:29 -0700
From: Christian Perrier <email address hidden>
To: <email address hidden>
Subject: Bug#330291: fixed in shadow 1:4.0.12-5

Source: shadow
Source-Version: 1:4.0.12-5

We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive:

login_4.0.12-5_i386.deb
  to pool/main/s/shadow/login_4.0.12-5_i386.deb
passwd_4.0.12-5_i386.deb
  to pool/main/s/shadow/passwd_4.0.12-5_i386.deb
shadow_4.0.12-5.diff.gz
  to pool/main/s/shadow/shadow_4.0.12-5.diff.gz
shadow_4.0.12-5.dsc
  to pool/main/s/shadow/shadow_4.0.12-5.dsc

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Perrier <email address hidden> (supplier of updated shadow package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 28 Sep 2005 19:59:31 +0200
Source: shadow
Binary: login passwd
Architecture: source i386
Version: 1:4.0.12-5
Distribution: unstable
Urgency: low
Maintainer: Shadow package maintainers <email address hidden>
Changed-By: Christian Perrier <email address hidden>
Description:
 login - system login tools
 passwd - change and administer password and group data
Closes: 330291
Changes:
 shadow (1:4.0.12-5) unstable; urgency=low
 .
   * Really add /etc/pam.d/su. Closes: #330291
Files:
 65a2fd3c58d770897360b43f4e2e1d81 867 admin required shadow_4.0.12-5.dsc
 23e47bafede9925057edfe53e56962d0 628480 admin required shadow_4.0.12-5.diff.gz
 6cd2102b64ce87ccccf22f80d1231963 524932 admin required passwd_4.0.12-5_i386.deb
 03eec6788ef8ece3976b5e139ae454fb 489948 admin required login_4.0.12-5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDOtrB1OXtrMAUPS0RAt4YAJsEQLSQ56iQ5iRQrSpxVmE0VsT+UQCgtADR
C61Fadj/0Mrd3ScwVxaMkt0=
=HFq+
-----END PGP SIGNATURE-----

Message-ID: <email address hidden>
Date: Wed, 28 Sep 2005 16:00:55 -0700
From: Steve Langasek <email address hidden>
To: Junichi Uekawa <email address hidden>
Cc: Andreas Tille <email address hidden>, <email address hidden>,
 Horms <email address hidden>, <email address hidden>, <email address hidden>,
 Debian Developers <email address hidden>
Subject: Re: Authentication problem with pbuilder

--2JFBq9zoW8cOFH7v
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Sep 28, 2005 at 09:13:46PM +0900, Junichi Uekawa wrote:

> > Extracting source
> > Password: su: Authentication failure
> > Sorry.
> > pbuilder: Failed extracting the source
> > -> Aborting with an error
> > -> unmounting dev/pts filesystem
> > ...

> > I guess I have to set a further sudo permission here but for what progr=
am?
> > It is 'sudo su' ? I would not really like this even if it is convinien=
t.

> I've tracked the problem down to the fact that=20
> /etc/pam.d/su no longer exists with a clean install
> since around yesterday.
> Upgraded systems continue to work since /etc/pam.d/su=20
> already exists.

> Without /etc/pam.d/su, root running su will be asked
> for a password.

> I'm suspecting either of

> login 1:4.0.12-2 -> 1:4.0.12-3
> pam 0.76-23->0.79-1

Suspect only the first. pam doesn't control any per-application config
files.

--=20
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
<email address hidden> http://www.debian.org/

--2JFBq9zoW8cOFH7v
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDOyCnKN6ufymYLloRAr4LAJsFXxFl5poH8CqfpaVsDb+8m/wC2QCgyNwb
4b5gWhrpi2w9Xe7joX1sNKc=
=6/es
-----END PGP SIGNATURE-----

--2JFBq9zoW8cOFH7v--

Already fixed upstream in Debian, never affected us.