You are not logged in.

Pages: 1

#1 2024-01-19 14:02:18

eldragon
Member
From: Buenos Aires
Registered: 2008-11-18
Posts: 1,029

pam 1.6.0-3 breaks sudo and openvpn

Hello,

Recently updated pam to 1.6.0-3 from  pam-1.5.3-3 and it broke:

sudo (wrong password)
openvpn (failed login).

I havent tested local login but i suspect it might break too.

downgraded to 1.5.3-3 and the issue was resolved.

I tried filing a bug but i dont have an account. creating an account is disabled for now.

im requesting one but it might take a while, so im posting here for other users.

Cheers.

Offline

#2 2024-01-19 15:25:44

seth
Member
Registered: 2012-09-03
Posts: 51,617

Re: pam 1.6.0-3 breaks sudo and openvpn

https://gitlab.archlinux.org/archlinux/ … ote_157555

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

Offline

#3 2024-01-19 16:14:16

loqs
Member
Registered: 2014-03-06
Posts: 17,427

Re: pam 1.6.0-3 breaks sudo and openvpn

You can report the issue upstream without waiting for an account on Arch's gitlab.  Please consider performing the git bisection first.  Please ask if you need help with the bisection.

Offline

#4 2024-01-19 16:20:16

seth
Member
Registered: 2012-09-03
Posts: 51,617

Re: pam 1.6.0-3 breaks sudo and openvpn

Also as a sanity check 

pacman -Qikk pam pambase sudo

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

Offline

#5 2024-01-19 19:16:12

loqs
Member
Registered: 2014-03-06
Posts: 17,427

Re: pam 1.6.0-3 breaks sudo and openvpn

@seth any thoughts on https://gitlab.archlinux.org/archlinux/ … ote_157606

Offline

#6 2024-01-19 21:03:45

seth
Member
Registered: 2012-09-03
Posts: 51,617

Re: pam 1.6.0-3 breaks sudo and openvpn

The relevant branch exists since 19 years, https://github.com/linux-pam/linux-pam/ … pwd.c#L108

If the pam update indeed breaks (?) the openvpn-plugin-auth-pam.so plugin keeping the UID/GID intact and withdrawing the systemd restrictions seems more interesting.
Apparantly the offending pam commit introduces a helper and that helper will not be covered by the hardened service .
Could be a massive clash between pam and systemd…

Also, still sanity check 

pacman -Qikk pam pambase sudo openvpn

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

Offline

#7 2024-01-20 12:35:12

loqs
Member
Registered: 2014-03-06
Posts: 17,427

Re: pam 1.6.0-3 breaks sudo and openvpn

Possibly https://github.com/linux-pam/linux-pam/ … pwd.c#L119 interacting with CAP_SETGID CAP_SETUID?
Edit:
What happens if CAP_SETGID and CAP_SETUID are removed from AmbientCapabilities plus CapabilityBoundingSet of the openvpn service?
Edit2:
Still produces the issue https://gitlab.archlinux.org/archlinux/ … ote_158006.
Edit3:
sudo could be pam_faillog triggering after three failures using openvpn.

Last edited by loqs (2024-01-21 17:11:24)

Offline

Pages: 1

Board footer

Powered by FluxBB