[Bug 2091659] Re: pam-auth-update silently fails if a config file has CRLF line endings
Nate Simon
2091659 at bugs.launchpad.net
Thu Dec 12 18:08:20 UTC 2024
I wonder if this issue could cause an invalid pam configuration to be
generated? In my example, pwquality is a "requisite". But if this
affected a module marked [success=end], seems that it might mess up the
jump offset counts.
Didn't try because I didn't want to deal with having a broken pam
configuration on my system.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/2091659
Title:
pam-auth-update silently fails if a config file has CRLF line endings
Status in pam package in Ubuntu:
New
Bug description:
If a configuration file in /usr/share/pam-configs has CRLF-style line
endings, pam-auth-update will silently fail with no errors.
I won't suggest that the config should allow CRLF line endings. But if
a file does have alternate line endings, the script should present an
error. As-is, there is no indication that the command failed unless
you manually inspect the generated configuration file. And then, there
is no hints as to what caused the config to not be accepted.
Example failure (pwquality is absent from common-password):
nate at localhost:/usr/share/pam-configs$ file pwquality
pwquality: ASCII text, with CRLF line terminators
nate at localhost:/usr/share/pam-configs$ sudo pam-auth-update --enable
pwquality
nate at localhost:/usr/share/pam-configs$ cat /etc/pam.d/common-password
[...]
# here are the per-package modules (the "Primary" block)
password required pam_pwhistory.so remember=400
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt
password [success=1 default=ignore] pam_ldap.so minimum_uid=1000 try_first_pass
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
password optional pam_gnome_keyring.so
# end of pam-auth-update config
Example PASS:
nate at localhost:/usr/share/pam-configs$ file pwquality
pwquality: ASCII text
nate at localhost:/usr/share/pam-configs$ sudo pam-auth-update --enable
pwquality
nate at localhost:/usr/share/pam-configs$ cat /etc/pam.d/common-password
[...]
# here are the per-package modules (the "Primary" block)
password requisite pam_pwquality.so retry=3 enforce_for_root
password required pam_pwhistory.so remember=400 use_authtok
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt
password [success=1 default=ignore] pam_ldap.so minimum_uid=1000 try_first_pass
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
password optional pam_gnome_keyring.so
# end of pam-auth-update config
Regardless of line ending style, the relevant config line still is added to /var/lib/pam:
nate at localhost:/$ cat /var/lib/pam/password
Module: pwquality
requisite pam_pwquality.so retry=3 enforce_for_root
[...]
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2091659/+subscriptions
More information about the foundations-bugs
mailing list