[Pkg-privacy-maintainers] Bug#911907: monkeysphere: Install fails on systems with PAM login restrictions
Sunil Mohan Adapa
sunil at medhas.org
Fri Oct 26 02:20:11 BST 2018
Package: monkeysphere
Version: 0.42-2
Severity: normal
Tags: patch upstream
Dear Maintainer,
When I install monkeysphere on a FreedomBox, I get the following error:
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
monkeysphere-validation-agent
The following NEW packages will be installed:
monkeysphere
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/78.0 kB of archives.
After this operation, 280 kB of additional disk space will be used.
Selecting previously unselected package monkeysphere.
(Reading database ... 205917 files and directories currently installed.)
Preparing to unpack .../monkeysphere_0.42-2_all.deb ...
Unpacking monkeysphere (0.42-2) ...
Setting up monkeysphere (0.42-2) ...
ms: setting up Monkeysphere authentication trust core...
su: Permission denied
Failed running transition script /usr/share/monkeysphere/transitions/0.23
dpkg: error processing package monkeysphere (--configure):
installed monkeysphere package post-installation script subprocess returned error exit status 1
Processing triggers for man-db (2.8.4-2+b1) ...
Errors were encountered while processing:
monkeysphere
E: Sub-process /usr/bin/dpkg returned an error code (1)
Further, publishing of keys fails as follows:
root at mybox:/vagrant# monkeysphere-host publish D7D055DF04C101AC1885FC0BA31A54C879664ED1
Really publish key 'D7D055DF04C101AC1885FC0BA31A54C879664ED1' to pool.sks-keyservers.net? (Y/n)
su: Permission denied
This is due to following setting in /etc/security/access.conf which prohibits non-root users from logging into the system.
-:ALL EXCEPT root fbx plinth (admin) (sudo):ALL
We faced a similar issue with quassel-core package recently and the maintainer fixed it by using runuser instead of su. From what I gather from man pages, it should do the job here as expected. A patch is attached. runuser is part of util-linux and is an essential package on Debian. While all the tests pass, I am unable to ascertain the full impact of the change.
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.18.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IN.UTF-8, LC_CTYPE=en_IN.UTF-8 (charmap=UTF-8), LANGUAGE=en_IN.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages monkeysphere depends on:
ii adduser 3.118
ii gnupg 2.2.10-3
ii libcrypt-openssl-rsa-perl 0.31-1
ii lockfile-progs 0.1.18
ii perl [libdigest-sha-perl] 5.26.2-7+b1
Versions of packages monkeysphere recommends:
pn agent-transfer <none>
ii cron [cron-daemon] 3.0pl1-130
ii netcat-openbsd [netcat] 1.190-2
ii openssh-client 1:7.8p1-1
ii socat 1.7.3.2-2
pn ssh-askpass <none>
Versions of packages monkeysphere suggests:
ii msva-perl [monkeysphere-validation-agent] 0.9.2-1
-- no debconf information
-------------- next part --------------
>From 93b8d954d489e9b7096b91f82baf64d1bfd0273b Mon Sep 17 00:00:00 2001
From: Sunil Mohan Adapa <sunil at medhas.org>
Date: Thu, 25 Oct 2018 14:43:57 -0700
Subject: [PATCH] Use runuser instead of su
On systems with restricted PAM security, it may not possible to use su.
---
src/monkeysphere-authentication | 2 +-
src/monkeysphere-host | 2 +-
src/share/common | 14 ++------------
3 files changed, 4 insertions(+), 14 deletions(-)
diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication
index b3eb1e6..3223294 100755
--- a/src/monkeysphere-authentication
+++ b/src/monkeysphere-authentication
@@ -137,7 +137,7 @@ GNUPGHOME_SPHERE=${MONKEYSPHERE_GNUPGHOME_SPHERE:="${MADATADIR}/sphere"}
CORE_KEYLENGTH=${MONKEYSPHERE_CORE_KEYLENGTH:="2048"}
LOG_PREFIX=${MONKEYSPHERE_LOG_PREFIX:='ms: '}
-# export variables needed in su invocation
+# export variables needed for invoking command under monkeysphere user
export DATE
export LOG_LEVEL
export KEYSERVER
diff --git a/src/monkeysphere-host b/src/monkeysphere-host
index 75895e9..089c2b6 100755
--- a/src/monkeysphere-host
+++ b/src/monkeysphere-host
@@ -360,7 +360,7 @@ PROMPT=${MONKEYSPHERE_PROMPT:=$PROMPT}
GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${MHDATADIR}"}
LOG_PREFIX=${MONKEYSPHERE_LOG_PREFIX:='ms: '}
-# export variables needed in su invocation
+# export variables needed for invoking command under monkeysphere user
export DATE
export LOG_LEVEL
export KEYSERVER
diff --git a/src/share/common b/src/share/common
index 80ae88a..22c4d3e 100644
--- a/src/share/common
+++ b/src/share/common
@@ -98,26 +98,16 @@ su_monkeysphere_user() {
# monkeysphere user, but without prompting for any sort of
# authentication. If this is not possible, we should just fail.
- # FIXME: our current implementation is overly restrictive, because
- # there may be some su PAM configurations that would allow su
- # "$MONKEYSPHERE_USER" -c "$@" to Just Work without prompting,
- # allowing specific users to invoke commands which make use of
- # this user.
-
- # chpst (from runit) would be nice to use, but we don't want to
- # introduce an extra dependency just for this. This may be a
- # candidate for re-factoring if we switch implementation languages.
-
case $(id -un) in
# if monkeysphere user, run the command as a subshell
"$MONKEYSPHERE_USER")
( "$@" )
;;
- # if root, su command as monkeysphere user
+ # if root, run command as monkeysphere user
'root')
# requote arguments using bash builtin feature (see "help printf"):
- su "$MONKEYSPHERE_USER" -s "$(which bash)" -c "$(printf "%q " "$@")"
+ runuser -u "$MONKEYSPHERE_USER" -- "$@"
;;
# otherwise, fail
--
2.19.1
More information about the Pkg-privacy-maintainers
mailing list