[Pkg-privacy-maintainers] Bug#911907: monkeysphere: Install fails on systems with PAM login restrictions

Sunil Mohan Adapa sunil at medhas.org
Fri Oct 26 02:20:11 BST 2018


Package: monkeysphere
Version: 0.42-2
Severity: normal
Tags: patch upstream

Dear Maintainer,

When I install monkeysphere on a FreedomBox, I get the following error:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
Suggested packages:
  monkeysphere-validation-agent
The following NEW packages will be installed:
  monkeysphere
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/78.0 kB of archives.
After this operation, 280 kB of additional disk space will be used.
Selecting previously unselected package monkeysphere.
(Reading database ... 205917 files and directories currently installed.)
Preparing to unpack .../monkeysphere_0.42-2_all.deb ...
Unpacking monkeysphere (0.42-2) ...
Setting up monkeysphere (0.42-2) ...
ms: setting up Monkeysphere authentication trust core...
su: Permission denied
Failed running transition script /usr/share/monkeysphere/transitions/0.23
dpkg: error processing package monkeysphere (--configure):
 installed monkeysphere package post-installation script subprocess returned error exit status 1
Processing triggers for man-db (2.8.4-2+b1) ...
Errors were encountered while processing:
 monkeysphere
E: Sub-process /usr/bin/dpkg returned an error code (1)

Further, publishing of keys fails as follows:

root at mybox:/vagrant# monkeysphere-host publish D7D055DF04C101AC1885FC0BA31A54C879664ED1
Really publish key 'D7D055DF04C101AC1885FC0BA31A54C879664ED1' to pool.sks-keyservers.net? (Y/n) 
su: Permission denied

This is due to following setting in /etc/security/access.conf which prohibits non-root users from logging into the system.

-:ALL EXCEPT root fbx plinth (admin) (sudo):ALL

We faced a similar issue with quassel-core package recently and the maintainer fixed it by using runuser instead of su. From what I gather from man pages, it should do the job here as expected. A patch is attached. runuser is part of util-linux and is an essential package on Debian. While all the tests pass, I am unable to ascertain the full impact of the change.


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.18.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IN.UTF-8, LC_CTYPE=en_IN.UTF-8 (charmap=UTF-8), LANGUAGE=en_IN.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages monkeysphere depends on:
ii  adduser                    3.118
ii  gnupg                      2.2.10-3
ii  libcrypt-openssl-rsa-perl  0.31-1
ii  lockfile-progs             0.1.18
ii  perl [libdigest-sha-perl]  5.26.2-7+b1

Versions of packages monkeysphere recommends:
pn  agent-transfer           <none>
ii  cron [cron-daemon]       3.0pl1-130
ii  netcat-openbsd [netcat]  1.190-2
ii  openssh-client           1:7.8p1-1
ii  socat                    1.7.3.2-2
pn  ssh-askpass              <none>

Versions of packages monkeysphere suggests:
ii  msva-perl [monkeysphere-validation-agent]  0.9.2-1

-- no debconf information
-------------- next part --------------
>From 93b8d954d489e9b7096b91f82baf64d1bfd0273b Mon Sep 17 00:00:00 2001
From: Sunil Mohan Adapa <sunil at medhas.org>
Date: Thu, 25 Oct 2018 14:43:57 -0700
Subject: [PATCH] Use runuser instead of su

On systems with restricted PAM security, it may not possible to use su.
---
 src/monkeysphere-authentication |  2 +-
 src/monkeysphere-host           |  2 +-
 src/share/common                | 14 ++------------
 3 files changed, 4 insertions(+), 14 deletions(-)

diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication
index b3eb1e6..3223294 100755
--- a/src/monkeysphere-authentication
+++ b/src/monkeysphere-authentication
@@ -137,7 +137,7 @@ GNUPGHOME_SPHERE=${MONKEYSPHERE_GNUPGHOME_SPHERE:="${MADATADIR}/sphere"}
 CORE_KEYLENGTH=${MONKEYSPHERE_CORE_KEYLENGTH:="2048"}
 LOG_PREFIX=${MONKEYSPHERE_LOG_PREFIX:='ms: '}
 
-# export variables needed in su invocation
+# export variables needed for invoking command under monkeysphere user
 export DATE
 export LOG_LEVEL
 export KEYSERVER
diff --git a/src/monkeysphere-host b/src/monkeysphere-host
index 75895e9..089c2b6 100755
--- a/src/monkeysphere-host
+++ b/src/monkeysphere-host
@@ -360,7 +360,7 @@ PROMPT=${MONKEYSPHERE_PROMPT:=$PROMPT}
 GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${MHDATADIR}"}
 LOG_PREFIX=${MONKEYSPHERE_LOG_PREFIX:='ms: '}
 
-# export variables needed in su invocation
+# export variables needed for invoking command under monkeysphere user
 export DATE
 export LOG_LEVEL
 export KEYSERVER
diff --git a/src/share/common b/src/share/common
index 80ae88a..22c4d3e 100644
--- a/src/share/common
+++ b/src/share/common
@@ -98,26 +98,16 @@ su_monkeysphere_user() {
     # monkeysphere user, but without prompting for any sort of
     # authentication.  If this is not possible, we should just fail.
 
-    # FIXME: our current implementation is overly restrictive, because
-    # there may be some su PAM configurations that would allow su
-    # "$MONKEYSPHERE_USER" -c "$@" to Just Work without prompting,
-    # allowing specific users to invoke commands which make use of
-    # this user.
-
-    # chpst (from runit) would be nice to use, but we don't want to
-    # introduce an extra dependency just for this.  This may be a
-    # candidate for re-factoring if we switch implementation languages.
-
     case $(id -un) in
 	# if monkeysphere user, run the command as a subshell
 	"$MONKEYSPHERE_USER")
 	    ( "$@" )
 	    ;;
 
-         # if root, su command as monkeysphere user
+         # if root, run command as monkeysphere user
 	'root')
             # requote arguments using bash builtin feature (see "help printf"):
-	    su "$MONKEYSPHERE_USER" -s "$(which bash)" -c "$(printf "%q " "$@")"
+	    runuser -u "$MONKEYSPHERE_USER" -- "$@"
 	    ;;
 
 	# otherwise, fail
-- 
2.19.1



More information about the Pkg-privacy-maintainers mailing list