Received: (at 805) by bugs.devuan.org; 1 Dec 2023 01:13:31 +0000 Return-Path: <[email protected]> Delivered-To: [email protected] Received: from email.devuan.org [2a01:4f8:a0:3284::74ca:8ad2] by doc.devuan.org with IMAP (fetchmail-6.4.16) for <debbugs@localhost> (single-drop); Fri, 01 Dec 2023 01:13:31 +0000 (UTC) Received: from email.devuan.org by email.devuan.org with LMTP id h5ozHiczaWVGJwAAmSBk0A (envelope-from <[email protected]>) for <[email protected]>; Fri, 01 Dec 2023 01:13:11 +0000 Received: by email.devuan.org (Postfix, from userid 109) id 70E25721; Fri, 1 Dec 2023 01:13:11 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on email.devuan.org X-Spam-Level: X-Spam-Status: No, score=0.7 required=5.0 tests=DATE_IN_PAST_12_24,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.6 Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2a00:1450:4864:20::443; helo=mail-wr1-x443.google.com; [email protected]; receiver=<UNKNOWN> Received: from mail-wr1-x443.google.com (mail-wr1-x443.google.com [IPv6:2a00:1450:4864:20::443]) by email.devuan.org (Postfix) with ESMTPS id 4F30227 for <[email protected]>; Fri, 1 Dec 2023 01:13:05 +0000 (UTC) Received: by mail-wr1-x443.google.com with SMTP id ffacd0b85a97d-32f8441dfb5so1155330f8f.0 for <[email protected]>; Thu, 30 Nov 2023 17:13:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1701393184; x=1701997984; darn=bugs.devuan.org; h=content-transfer-encoding:mime-version:message-id:references :in-reply-to:subject:cc:to:from:date:from:to:cc:subject:date :message-id:reply-to; bh=awdugdgvLxf9KzsLJMK69eyFMis6cLDaatRSnOAI+bo=; b=AhtoW/LqnSkyL2sxLffRNMVO0vS3sfRJQgOD+C2koKnGHp7zMBZJf0gKRZhU8bgLUh dNN63hFELVbyO7JBx2flp//nLMkjEvT4tCvXVt55ldRUtlNC0v6ffv9MFk44Z6J6gpDY DleCO78ngWPeyB15LzhljF1muUed4N04mOaC0X297c/qaM8Z1PotmMHjZ0THDXc3RJZ3 lYqV4JeAYgNdrvoJebIbBsgMBLucfsXwKQgVVN2BPWi5/e2omA3L6Y7uisUsMz8ej5qy /ycQbqfVMD2BibP/uYn8nzthOqF6HRx8/Afeq4X82qyYt/PRNlgQdGTK+PI10noV0MCE s//A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701393184; x=1701997984; h=content-transfer-encoding:mime-version:message-id:references :in-reply-to:subject:cc:to:from:date:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=awdugdgvLxf9KzsLJMK69eyFMis6cLDaatRSnOAI+bo=; b=AdAyl08zbLEyD5sEOw5aMz/dNt4DRb4IxL+7LpqKxw4YUaWwn5P/qgm2zZhRz3Wu2Q l0tzDm3oKAe+ECVW011vVY1KaBOHvfTDloONxRFUZX2Ko+j11eIuzRGrBrHZinJTLBLC 6Og08bn8rMksk8IJnewfyAqDsZjHQN+UNMX+WSTpG+mmtT4y1pzA6jlXY1X0be87z0So p0gKcaUaL80A7IOk7PXqfdgOks95C6spPYD9H9KcrUroZwmsNJjVAGBGShyJlaC+7vUY iVXyGXv4xgl/8Lhih3e4G4zAwdXPx2ZXQ0WPqrUkmh1YnYrPIL9wAJ2b5GFOQFReKAqv Dfuw== X-Gm-Message-State: AOJu0Yz4TUQy7+uf3WzBD8yumtg0l12vY4nekgsp/aw1mkGUeXw+yzAd +JGAH+o0NWh09JEwUIFAcd8= X-Google-Smtp-Source: AGHT+IENFWV55ivn3A02wBgEJmqmTUZIcu0CNW4Q+7U3S1reW/u1Vvy/IyCCAcMCToItDNqfTtZyLg== X-Received: by 2002:adf:ffc6:0:b0:333:2fd2:6f72 with SMTP id x6-20020adfffc6000000b003332fd26f72mr227251wrs.124.1701393184087; Thu, 30 Nov 2023 17:13:04 -0800 (PST) Received: from [127.0.0.1] ([188.113.129.102]) by smtp.gmail.com with ESMTPSA id p5-20020a5d4585000000b0033314c63881sm2830250wrq.22.2023.11.30.17.13.03 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 30 Nov 2023 17:13:03 -0800 (PST) Date: Thu, 30 Nov 2023 09:19:51 +0000 From: meow <[email protected]> To: Mark Hindley <[email protected]> CC: [email protected] Subject: Re: bug#805: openrc: supervise-daemon: missing PAM configuration In-Reply-To: <[email protected]> References: <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <ZWL6ZnDmsDw/[email protected]> <[email protected]> <[email protected]> Message-ID: <[email protected]> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=----4PYC1R8B93Q5LY51VHZPXU32JC5TDA Content-Transfer-Encoding: 7bit ------4PYC1R8B93Q5LY51VHZPXU32JC5TDA Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable i reply to: " Hi, On Sat, Nov 25, 2023 at 06:48:42AM +0000, meow wrote: Yes, you=E2=80=99re right, it should be included in the configuration file= =2E /etc/pam=2Ed/supervise-daemon: #%PAM-1=2E0 auth required pam_permit=2Eso account required pam_permit=2Eso password required pam_deny=2Eso session optional pam_limits=2Eso @include common-account @include common-session-nointeractive use 'common-*' incorrectly=2E we only need common-account and common-session-nointetactive=2E This is different to what I suggested=2E I think auth required pam_permit=2Eso account required pam_permit=2Eso Should be *replaced* by @include common-auth @include common-account And session optional pam_limits=2Eso should be after @include common-session-nointetactive That makes the whole config #%PAM-1=2E0 password required pam_deny=2Eso @include common-account @include common-account @include common-session-nointeractive session optional pam_limits=2Eso Is that better? If you have improvements, please provide the reasoning as well=2E Thanks Mark " On November 29, 2023 5:39:27 PM UTC, Mark Hindley <mark@hindley=2Eorg=2Euk= > wrote: >On Wed, Nov 29, 2023 at 12:07:57AM +0000, meow wrote: >> No, there are nuances=2E for example, the PAM access module=2E >> if you turn it on, supervise-daemon stops working correctly=2E > >Please don't top post=2E > >I don't understand what you are answering here=2E > >Sorry=2E > >Mark > ------4PYC1R8B93Q5LY51VHZPXU32JC5TDA Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable <html><head></head><body><div dir=3D"auto">i reply to:<br><br>"<br>Hi,<br><= br>On Sat, Nov 25, 2023 at 06:48:42AM +0000, meow wrote:<br><br>Yes, you=E2= =80=99re right, it should be included in the configuration file=2E<br>/etc/= pam=2Ed/supervise-daemon:<br>#%PAM-1=2E0<br>auth required pam_permit=2Eso<b= r>account required pam_permit=2Eso<br>password required pam_deny=2Eso<br>se= ssion optional pam_limits=2Eso<br>@include common-account<br>@include commo= n-session-nointeractive<br>use 'common-*' incorrectly=2E we only need commo= n-account and<br>common-session-nointetactive=2E<br><br><br>This is differe= nt to what I suggested=2E<br><br>I think<br><br>auth required pam_permit=2E= so<br>account required pam_permit=2Eso<br><br><br>Should be *replaced* by<b= r><br>@include common-auth<br>@include common-account<br><br>And<br><br>ses= sion optional pam_limits=2Eso<br><br><br>should be after<br><br>@include co= mmon-session-nointetactive<br><br>That makes the whole config<br><br>#%PAM-= 1=2E0<br>password required pam_deny=2Eso<br>@include common-account<br>@inc= lude common-account<br>@include common-session-nointeractive<br>session opt= ional pam_limits=2Eso<br><br>Is that better?<br><br>If you have improvement= s, please provide the reasoning as well=2E<br><br>Thanks<br><br>Mark "<br><= br></div><br><br><div class=3D"gmail_quote"><div dir=3D"auto">On November 2= 9, 2023 5:39:27 PM UTC, Mark Hindley <mark@hindley=2Eorg=2Euk> wrote:= </div><blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0=2E8e= x; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> <pre class=3D"k9mail"><div dir=3D"auto">On Wed, Nov 29, 2023 at 12:07:57AM= +0000, meow wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"mar= gin: 0pt 0pt 1ex 0=2E8ex; border-left: 1px solid #729fcf; padding-left: 1ex= ;"><div dir=3D"auto">No, there are nuances=2E for example, the PAM access m= odule=2E<br>if you turn it on, supervise-daemon stops working correctly=2E<= br></div></blockquote><div dir=3D"auto"><br>Please don't top post=2E<br><br= >I don't understand what you are answering here=2E<br><br>Sorry=2E<br><br>M= ark<br><br></div></pre></blockquote></div></body></html> ------4PYC1R8B93Q5LY51VHZPXU32JC5TDA--
meow <[email protected]>:[email protected].
Full text available.[email protected], [email protected]:bug#805; Package openrc.
Full text available.Received: (at 805) by bugs.devuan.org; 30 Nov 2023 08:22:32 +0000 Return-Path: <[email protected]> Delivered-To: [email protected] Received: from email.devuan.org [2a01:4f8:a0:3284::74ca:8ad2] by doc.devuan.org with IMAP (fetchmail-6.4.16) for <debbugs@localhost> (single-drop); Thu, 30 Nov 2023 08:22:32 +0000 (UTC) Received: from email.devuan.org by email.devuan.org with LMTP id 9BDcLT9GaGXSRQAAmSBk0A (envelope-from <[email protected]>) for <[email protected]>; Thu, 30 Nov 2023 08:22:23 +0000 Received: by email.devuan.org (Postfix, from userid 109) id B135963F; Thu, 30 Nov 2023 08:22:23 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on email.devuan.org X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2a00:1450:4864:20::444; helo=mail-wr1-x444.google.com; [email protected]; receiver=<UNKNOWN> Received: from mail-wr1-x444.google.com (mail-wr1-x444.google.com [IPv6:2a00:1450:4864:20::444]) by email.devuan.org (Postfix) with ESMTPS id 2683642 for <[email protected]>; Thu, 30 Nov 2023 08:22:17 +0000 (UTC) Received: by mail-wr1-x444.google.com with SMTP id ffacd0b85a97d-32f8441dfb5so451889f8f.0 for <[email protected]>; Thu, 30 Nov 2023 00:22:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1701332536; x=1701937336; darn=bugs.devuan.org; h=content-transfer-encoding:mime-version:message-id:references :in-reply-to:subject:cc:to:from:date:from:to:cc:subject:date :message-id:reply-to; bh=awdugdgvLxf9KzsLJMK69eyFMis6cLDaatRSnOAI+bo=; b=SOOqGms0qfu7iGgIRWtQP0+j7s0IHsirI1Vmw7d820Kd17iILSno4vy76++WTJ9Q2g FVLltiFV+YLf+gcOkBTrK6u9KTi/AiDzPS8wF8JUhr5066botO8EL2RQA1f16EaEj66x kseyyPCLjmOdz2xgJcEFcgO880KGOpByLSOc7JOWGjUg9urY/xRAWtdqdSb9cAtxdyO3 /sx9DcSf/Z2YcclujHM1CoJPuMW24oJgumCW3peFgTSMsLNL+op7PD0716cQKauoYdTW FAPxyWeDKucb2+h6OBeVnGkJiO36oRwVDOSVWjjEbtFqYdkTnYwrII5ldKRw/QQMcWp3 eSkQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701332536; x=1701937336; h=content-transfer-encoding:mime-version:message-id:references :in-reply-to:subject:cc:to:from:date:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=awdugdgvLxf9KzsLJMK69eyFMis6cLDaatRSnOAI+bo=; b=crDv2DG11X3RFG7NC5FnaT+UwmGzuy7WTFXUBZoRSLXM9zK48OEtsnCXFrL0nLvwMx XFbCSMrcGmnrOQle6cjcTBpLx+WBcOV6xKH7egFVj861xaVF/JUkB0XzshLzsm008T9R tY92M0Kku+bublEMQE31xTmsZD3upxswsPZOamJcORxZ20DpkvH4i5PSESkX8n3r9t3X 5AVTgBPqWDmN/eFY23/IJAGTGQubSte+JZYW3mblK5ndNKEfttIRa9ahCLfce8+Qt5Oq nSI+JL+Ylu79Mqlq02BGQum3WjaWv1YluSpwINwhtrfLEzpEkmxEK8bfUr2sWMXPmKOL jpqQ== X-Gm-Message-State: AOJu0Yyd68k0YeDdMLXYroARbb0owCA++F/s0+joLB4Iu8HprRI41JbX MPKAv+jgg4MJnv159EBmZvY= X-Google-Smtp-Source: AGHT+IGyv7SQtb7DsFjgc/sTWwF+hLi0eNL46ooZtmFGbIs0JW1j4xroitTUlaAvltcGIU8a2VFo5A== X-Received: by 2002:a05:6000:ac9:b0:332:fe7e:2a31 with SMTP id di9-20020a0560000ac900b00332fe7e2a31mr10212237wrb.26.1701332535502; Thu, 30 Nov 2023 00:22:15 -0800 (PST) Received: from [127.0.0.1] ([188.113.129.102]) by smtp.gmail.com with ESMTPSA id u15-20020a5d6daf000000b00333201aa437sm827318wrs.75.2023.11.30.00.22.14 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 30 Nov 2023 00:22:15 -0800 (PST) Date: Thu, 30 Nov 2023 09:19:51 +0000 From: meow <[email protected]> To: Mark Hindley <[email protected]> CC: [email protected] Subject: Re: bug#805: openrc: supervise-daemon: missing PAM configuration In-Reply-To: <[email protected]> References: <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <ZWL6ZnDmsDw/[email protected]> <[email protected]> <[email protected]> Message-ID: <[email protected]> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=----4PYC1R8B93Q5LY51VHZPXU32JC5TDA Content-Transfer-Encoding: 7bit ------4PYC1R8B93Q5LY51VHZPXU32JC5TDA Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable i reply to: " Hi, On Sat, Nov 25, 2023 at 06:48:42AM +0000, meow wrote: Yes, you=E2=80=99re right, it should be included in the configuration file= =2E /etc/pam=2Ed/supervise-daemon: #%PAM-1=2E0 auth required pam_permit=2Eso account required pam_permit=2Eso password required pam_deny=2Eso session optional pam_limits=2Eso @include common-account @include common-session-nointeractive use 'common-*' incorrectly=2E we only need common-account and common-session-nointetactive=2E This is different to what I suggested=2E I think auth required pam_permit=2Eso account required pam_permit=2Eso Should be *replaced* by @include common-auth @include common-account And session optional pam_limits=2Eso should be after @include common-session-nointetactive That makes the whole config #%PAM-1=2E0 password required pam_deny=2Eso @include common-account @include common-account @include common-session-nointeractive session optional pam_limits=2Eso Is that better? If you have improvements, please provide the reasoning as well=2E Thanks Mark " On November 29, 2023 5:39:27 PM UTC, Mark Hindley <mark@hindley=2Eorg=2Euk= > wrote: >On Wed, Nov 29, 2023 at 12:07:57AM +0000, meow wrote: >> No, there are nuances=2E for example, the PAM access module=2E >> if you turn it on, supervise-daemon stops working correctly=2E > >Please don't top post=2E > >I don't understand what you are answering here=2E > >Sorry=2E > >Mark > ------4PYC1R8B93Q5LY51VHZPXU32JC5TDA Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable <html><head></head><body><div dir=3D"auto">i reply to:<br><br>"<br>Hi,<br><= br>On Sat, Nov 25, 2023 at 06:48:42AM +0000, meow wrote:<br><br>Yes, you=E2= =80=99re right, it should be included in the configuration file=2E<br>/etc/= pam=2Ed/supervise-daemon:<br>#%PAM-1=2E0<br>auth required pam_permit=2Eso<b= r>account required pam_permit=2Eso<br>password required pam_deny=2Eso<br>se= ssion optional pam_limits=2Eso<br>@include common-account<br>@include commo= n-session-nointeractive<br>use 'common-*' incorrectly=2E we only need commo= n-account and<br>common-session-nointetactive=2E<br><br><br>This is differe= nt to what I suggested=2E<br><br>I think<br><br>auth required pam_permit=2E= so<br>account required pam_permit=2Eso<br><br><br>Should be *replaced* by<b= r><br>@include common-auth<br>@include common-account<br><br>And<br><br>ses= sion optional pam_limits=2Eso<br><br><br>should be after<br><br>@include co= mmon-session-nointetactive<br><br>That makes the whole config<br><br>#%PAM-= 1=2E0<br>password required pam_deny=2Eso<br>@include common-account<br>@inc= lude common-account<br>@include common-session-nointeractive<br>session opt= ional pam_limits=2Eso<br><br>Is that better?<br><br>If you have improvement= s, please provide the reasoning as well=2E<br><br>Thanks<br><br>Mark "<br><= br></div><br><br><div class=3D"gmail_quote"><div dir=3D"auto">On November 2= 9, 2023 5:39:27 PM UTC, Mark Hindley <mark@hindley=2Eorg=2Euk> wrote:= </div><blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0=2E8e= x; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> <pre class=3D"k9mail"><div dir=3D"auto">On Wed, Nov 29, 2023 at 12:07:57AM= +0000, meow wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"mar= gin: 0pt 0pt 1ex 0=2E8ex; border-left: 1px solid #729fcf; padding-left: 1ex= ;"><div dir=3D"auto">No, there are nuances=2E for example, the PAM access m= odule=2E<br>if you turn it on, supervise-daemon stops working correctly=2E<= br></div></blockquote><div dir=3D"auto"><br>Please don't top post=2E<br><br= >I don't understand what you are answering here=2E<br><br>Sorry=2E<br><br>M= ark<br><br></div></pre></blockquote></div></body></html> ------4PYC1R8B93Q5LY51VHZPXU32JC5TDA--
meow <[email protected]>:[email protected].
Full text available.[email protected], [email protected]:bug#805; Package openrc.
Full text available.Received: (at 805) by bugs.devuan.org; 29 Nov 2023 17:40:35 +0000 Return-Path: <[email protected]> Delivered-To: [email protected] Received: from email.devuan.org [2a01:4f8:a0:3284::74ca:8ad2] by doc.devuan.org with IMAP (fetchmail-6.4.16) for <debbugs@localhost> (single-drop); Wed, 29 Nov 2023 17:40:35 +0000 (UTC) Received: from email.devuan.org by email.devuan.org with LMTP id 11BRH1F3Z2XoCQAAmSBk0A (envelope-from <[email protected]>) for <[email protected]>; Wed, 29 Nov 2023 17:39:29 +0000 Received: by email.devuan.org (Postfix, from userid 109) id 75D7E670; Wed, 29 Nov 2023 17:39:29 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on email.devuan.org X-Spam-Level: X-Spam-Status: No, score=0.4 required=5.0 tests=RDNS_DYNAMIC,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=193.36.131.86; helo=mx.hindley.org.uk; [email protected]; receiver=<UNKNOWN> Received: from mx.hindley.org.uk (193-36-131-86.cfwn.uk [193.36.131.86]) by email.devuan.org (Postfix) with ESMTPS id 0F57342 for <[email protected]>; Wed, 29 Nov 2023 17:39:28 +0000 (UTC) Received: from hindley.org.uk (apollo.hindleynet [192.168.1.3]) by mx.hindley.org.uk (Postfix) with SMTP id C9DD29B6; Wed, 29 Nov 2023 17:39:27 +0000 (GMT) Received: (nullmailer pid 26507 invoked by uid 1000); Wed, 29 Nov 2023 17:39:27 -0000 Date: Wed, 29 Nov 2023 17:39:27 +0000 From: Mark Hindley <[email protected]> To: meow <[email protected]> Cc: [email protected] Subject: Re: bug#805: openrc: supervise-daemon: missing PAM configuration Message-ID: <[email protected]> References: <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <ZWL6ZnDmsDw/[email protected]> <[email protected]> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <[email protected]> On Wed, Nov 29, 2023 at 12:07:57AM +0000, meow wrote: > No, there are nuances. for example, the PAM access module. > if you turn it on, supervise-daemon stops working correctly. Please don't top post. I don't understand what you are answering here. Sorry. Mark
Mark Hindley <[email protected]>:[email protected].
Full text available.[email protected], [email protected]:bug#805; Package openrc.
Full text available.Received: (at 805) by bugs.devuan.org; 28 Nov 2023 23:12:01 +0000 Return-Path: <[email protected]> Delivered-To: [email protected] Received: from email.devuan.org [2a01:4f8:a0:3284::74ca:8ad2] by doc.devuan.org with IMAP (fetchmail-6.4.16) for <debbugs@localhost> (single-drop); Tue, 28 Nov 2023 23:12:01 +0000 (UTC) Received: from email.devuan.org by email.devuan.org with LMTP id Z/JbIHVzZmV/KAAAmSBk0A (envelope-from <[email protected]>) for <[email protected]>; Tue, 28 Nov 2023 23:10:45 +0000 Received: by email.devuan.org (Postfix, from userid 109) id 79A9C98; Tue, 28 Nov 2023 23:10:45 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on email.devuan.org X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2607:f8b0:4864:20::844; helo=mail-qt1-x844.google.com; [email protected]; receiver=<UNKNOWN> Received: from mail-qt1-x844.google.com (mail-qt1-x844.google.com [IPv6:2607:f8b0:4864:20::844]) by email.devuan.org (Postfix) with ESMTPS id E122127 for <[email protected]>; Tue, 28 Nov 2023 23:10:38 +0000 (UTC) Received: by mail-qt1-x844.google.com with SMTP id d75a77b69052e-423e7e0a619so1063531cf.1 for <[email protected]>; Tue, 28 Nov 2023 15:10:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1701213037; x=1701817837; darn=bugs.devuan.org; h=content-transfer-encoding:mime-version:message-id:references :in-reply-to:subject:cc:to:from:date:from:to:cc:subject:date :message-id:reply-to; bh=3BzkSYHalhKStdEpiUqV3xuMJorTx6V1K/Qy1NA9tpE=; b=TrKvYY4tlPQl/ixv37RHwKi/2/W5ausNxo9DUVFFAtDn6m0m/V30xdOkereJn7BMqo DoeHxZqhjIXjwzOWtenq2FJPFcXzPy+ynxV50lMhofRAk9+tEGWjk9/4AVGRKveHtCjd S0UrvAI2QdaYs6k2wrRBhoRxlIWSUlml1HX7INz/NjEZsRfZPnhRimufQtfDd+DQGGIe NxT8j3esaxCGu+C9w/6S90qxZBR05H0EAmMLxrvf5Lg1vh53zsNpTlIpAdyrt94CRXOc nwE/I/DtRlbg2eSktUKSwxkX5fXoOl3dRTcFvXgoxDFykgd5yUrrEljWEm0Y4rehyAna 2Riw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701213037; x=1701817837; h=content-transfer-encoding:mime-version:message-id:references :in-reply-to:subject:cc:to:from:date:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3BzkSYHalhKStdEpiUqV3xuMJorTx6V1K/Qy1NA9tpE=; b=AwoJY/66kDBv+5lrmDEj+Ec+Raok6GnSuvuPjmSg+ur/Ch56x/kx0g9Vv8mWnx63Zi e89PRVnmFEBER6Q6YsUmu7+UUkSDh/xH+c6BX5KRX5nyqsMOWKQC80cjj0TU48fri0M3 lqpzG1/aCC0ltIBje2h/RJCFXnJ92nT5ZBOyz2DC+UgG/++DlxrwDqf6sB6/5tnFd8WF BaBW4Fa5S6oLfAe28aDQn0AgtIMFDDrbsboY2Y0DUgXItBgenz1Mx0bcknOHy2QzSPO8 EjLlDe+RVgHZyZ11xslErrNooSvT1QV9QckALOQLJjntzrRTA3YF7OcBfuAXYzgxrzUm MHqw== X-Gm-Message-State: AOJu0Ywedf5w+yjYRRZRYyG9NfAT0g1z9GImoTSWWEXZPPboRTXhNSyj k8LiZIltOguoaNfARIGjjbg= X-Google-Smtp-Source: AGHT+IHMdzOx/YccGB8GMllYkMjgrBYthtsc/YxJuAUZJo7bAQSQ/poVsPhrwiqu46cfbvVXafqFJA== X-Received: by 2002:ac8:5d4f:0:b0:423:b145:141d with SMTP id g15-20020ac85d4f000000b00423b145141dmr17742512qtx.27.1701213036848; Tue, 28 Nov 2023 15:10:36 -0800 (PST) Received: from [127.0.0.1] ([188.113.129.102]) by smtp.gmail.com with ESMTPSA id o18-20020a05622a045200b0041818df8a0dsm3655729qtx.36.2023.11.28.15.10.35 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 28 Nov 2023 15:10:36 -0800 (PST) Date: Wed, 29 Nov 2023 00:07:57 +0000 From: meow <[email protected]> To: Mark Hindley <[email protected]> CC: [email protected] Subject: Re: bug#805: openrc: supervise-daemon: missing PAM configuration In-Reply-To: <ZWL6ZnDmsDw/[email protected]> References: <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <ZWL6ZnDmsDw/[email protected]> Message-ID: <[email protected]> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=----VBLQG9PU4YHU7HY80FK5T7CKFHZFY5 Content-Transfer-Encoding: 7bit ------VBLQG9PU4YHU7HY80FK5T7CKFHZFY5 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable No, there are nuances=2E for example, the PAM access module=2E if you turn it on, supervise-daemon stops working correctly=2E On November 26, 2023 9:07:28 AM UTC, Mark Hindley <mark@hindley=2Eorg=2Euk= > wrote: >Hi, > >On Sat, Nov 25, 2023 at 06:48:42AM +0000, meow wrote: >> Yes, you=E2=80=99re right, it should be included in the configuratio= n file=2E >> /etc/pam=2Ed/supervise-daemon: >> #%PAM-1=2E0 >> auth required pam_permit=2Eso >> account required pam_permit=2Eso >> password required pam_deny=2Eso >> session optional pam_limits=2Eso >> @include common-account >> @include common-session-nointeractive >> use 'common-*' incorrectly=2E we only need common-account and >> common-session-nointetactive=2E > >This is different to what I suggested=2E > >I think > >> auth required pam_permit=2Eso >> account required pam_permit=2Eso > >Should be *replaced* by > >@include common-auth >@include common-account > >And > >> session optional pam_limits=2Eso > >should be after > >@include common-session-nointetactive > >That makes the whole config > >#%PAM-1=2E0 >password required pam_deny=2Eso >@include common-account >@include common-account >@include common-session-nointeractive >session optional pam_limits=2Eso > >Is that better? > >If you have improvements, please provide the reasoning as well=2E > >Thanks > >Mark ------VBLQG9PU4YHU7HY80FK5T7CKFHZFY5 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable <html><head></head><body><div dir=3D"auto">No, there are nuances=2E for exa= mple, the PAM access module=2E<br>if you turn it on, supervise-daemon stops= working correctly=2E</div><br><br><div class=3D"gmail_quote"><div dir=3D"a= uto">On November 26, 2023 9:07:28 AM UTC, Mark Hindley <mark@hindley=2Eo= rg=2Euk> wrote:</div><blockquote class=3D"gmail_quote" style=3D"margin: = 0pt 0pt 0pt 0=2E8ex; border-left: 1px solid rgb(204, 204, 204); padding-lef= t: 1ex;"> <pre class=3D"k9mail"><div dir=3D"auto">Hi,<br><br>On Sat, Nov 25, 2023 at= 06:48:42AM +0000, meow wrote:<br></div><blockquote class=3D"gmail_quote" s= tyle=3D"margin: 0pt 0pt 1ex 0=2E8ex; border-left: 1px solid #729fcf; paddin= g-left: 1ex;"><div dir=3D"auto">Yes, you=E2=80=99re right, it should be inc= luded in the configuration file=2E<br>/etc/pam=2Ed/supervise-daemon:<br>#%P= AM-1=2E0<br>auth required pam_permit=2Eso<br>account = required pam_permit=2Eso<br>password required pam_= deny=2Eso<br>session optional pam_limits=2Eso<br>@include co= mmon-account<br>@include common-session-nointeractive<br>use 'common-*' inc= orrectly=2E we only need common-account and<br>common-session-nointetactive= =2E<br></div></blockquote><div dir=3D"auto"><br>This is different to what I= suggested=2E<br><br>I think<br><br></div><blockquote class=3D"gmail_quote"= style=3D"margin: 0pt 0pt 1ex 0=2E8ex; border-left: 1px solid #729fcf; padd= ing-left: 1ex;"><div dir=3D"auto">auth required pam_permi= t=2Eso<br>account required pam_permit=2Eso<br></div></blockq= uote><div dir=3D"auto"><br>Should be *replaced* by<br><br>@include common-a= uth<br>@include common-account<br><br>And<br><br></div><blockquote class=3D= "gmail_quote" style=3D"margin: 0pt 0pt 1ex 0=2E8ex; border-left: 1px solid = #729fcf; padding-left: 1ex;"><div dir=3D"auto">session optional = pam_limits=2Eso<br></div></blockquote><div dir=3D"auto"><br>should be a= fter<br><br>@include common-session-nointetactive<br><br>That makes the who= le config<br><br>#%PAM-1=2E0<br>password required pam_deny=2E= so<br>@include common-account<br>@include common-account<br>@include common= -session-nointeractive<br>session optional pam_limits=2Eso<b= r><br>Is that better?<br><br>If you have improvements, please provide the r= easoning as well=2E<br><br>Thanks<br><br>Mark<br></div></pre></blockquote><= /div></body></html> ------VBLQG9PU4YHU7HY80FK5T7CKFHZFY5--
meow <[email protected]>:[email protected].
Full text available.[email protected], [email protected]:bug#805; Package openrc.
Full text available.Received: (at 805) by bugs.devuan.org; 26 Nov 2023 09:09:02 +0000 Return-Path: <[email protected]> Delivered-To: [email protected] Received: from email.devuan.org [2a01:4f8:a0:3284::74ca:8ad2] by doc.devuan.org with IMAP (fetchmail-6.4.16) for <debbugs@localhost> (single-drop); Sun, 26 Nov 2023 09:09:02 +0000 (UTC) Received: from email.devuan.org by email.devuan.org with LMTP id ag9IOtYKY2X3WQAAmSBk0A (envelope-from <[email protected]>) for <[email protected]>; Sun, 26 Nov 2023 09:07:34 +0000 Received: by email.devuan.org (Postfix, from userid 109) id E34B7721; Sun, 26 Nov 2023 09:07:34 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on email.devuan.org X-Spam-Level: X-Spam-Status: No, score=0.4 required=5.0 tests=RDNS_DYNAMIC,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=193.36.131.86; helo=mx.hindley.org.uk; [email protected]; receiver=<UNKNOWN> Received: from mx.hindley.org.uk (193-36-131-86.cfwn.uk [193.36.131.86]) by email.devuan.org (Postfix) with ESMTPS id 95B4842 for <[email protected]>; Sun, 26 Nov 2023 09:07:31 +0000 (UTC) Received: from hindley.org.uk (apollo.hindleynet [192.168.1.3]) by mx.hindley.org.uk (Postfix) with SMTP id 973CE1D4C; Sun, 26 Nov 2023 09:07:29 +0000 (GMT) Received: (nullmailer pid 3105 invoked by uid 1000); Sun, 26 Nov 2023 09:07:28 -0000 Date: Sun, 26 Nov 2023 09:07:28 +0000 From: Mark Hindley <[email protected]> To: meow <[email protected]> Cc: [email protected] Subject: Re: bug#805: openrc: supervise-daemon: missing PAM configuration Message-ID: <ZWL6ZnDmsDw/[email protected]> References: <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <[email protected]> X-IMAPbase: 1220827534 0000000352 X-UID: 352 Hi, On Sat, Nov 25, 2023 at 06:48:42AM +0000, meow wrote: > Yes, you’re right, it should be included in the configuration file. > /etc/pam.d/supervise-daemon: > #%PAM-1.0 > auth required pam_permit.so > account required pam_permit.so > password required pam_deny.so > session optional pam_limits.so > @include common-account > @include common-session-nointeractive > use 'common-*' incorrectly. we only need common-account and > common-session-nointetactive. This is different to what I suggested. I think > auth required pam_permit.so > account required pam_permit.so Should be *replaced* by @include common-auth @include common-account And > session optional pam_limits.so should be after @include common-session-nointetactive That makes the whole config #%PAM-1.0 password required pam_deny.so @include common-account @include common-account @include common-session-nointeractive session optional pam_limits.so Is that better? If you have improvements, please provide the reasoning as well. Thanks Mark
Mark Hindley <[email protected]>:[email protected].
Full text available.[email protected], [email protected]:bug#805; Package openrc.
Full text available.Received: (at 805) by bugs.devuan.org; 25 Nov 2023 06:10:32 +0000 Return-Path: <[email protected]> Delivered-To: [email protected] Received: from email.devuan.org [2a01:4f8:a0:3284::74ca:8ad2] by doc.devuan.org with IMAP (fetchmail-6.4.16) for <debbugs@localhost> (single-drop); Sat, 25 Nov 2023 06:10:32 +0000 (UTC) Received: from email.devuan.org by email.devuan.org with LMTP id izNYM8SPYWXuUwAAmSBk0A (envelope-from <[email protected]>) for <[email protected]>; Sat, 25 Nov 2023 06:10:12 +0000 Received: by email.devuan.org (Postfix, from userid 109) id C7056722; Sat, 25 Nov 2023 06:10:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on email.devuan.org X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2607:f8b0:4864:20::f43; helo=mail-qv1-xf43.google.com; [email protected]; receiver=<UNKNOWN> Received: from mail-qv1-xf43.google.com (mail-qv1-xf43.google.com [IPv6:2607:f8b0:4864:20::f43]) by email.devuan.org (Postfix) with ESMTPS id 97D534CC for <[email protected]>; Sat, 25 Nov 2023 06:10:07 +0000 (UTC) Received: by mail-qv1-xf43.google.com with SMTP id 6a1803df08f44-67a25fb443bso1571656d6.3 for <[email protected]>; Fri, 24 Nov 2023 22:10:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1700892606; x=1701497406; darn=bugs.devuan.org; h=content-transfer-encoding:mime-version:message-id:references :in-reply-to:subject:cc:to:from:date:from:to:cc:subject:date :message-id:reply-to; bh=wk+Bs9ohYmhDh+sYzezW1ptZVIJM4CvlAnXZAVAYYZ4=; b=UAixxbNmHav59UspIjpW91ncz2HZS4Nu+PCb3qU8HnWE6oCTxX+baTLqKyvpPuD9N5 x5M93mGE03LkeCuYTB1BUOA4sM4qQnXp8qNm+EIe5S9QFcfueEoTDlkILBdRQErqFZIw c7C0GOtQJyvyeneBTdEI2BwsZU3zyFBPP2VXSyXEq3gfU2UxF+IkyTeOki8L61JmeD4g vsYrCG0kP9jkWPZG7sGz1Wp+pAMxUQPntzf8n86YshQZkFt8MjXMXg+vLhyY96ugypw3 PelEyOHc9wCBZp0IuWhd08/FsSs3IMdkmIwrMZFEEYYzQ5sXjyOL1PqYFoR5UCDjWV6D ruqQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700892606; x=1701497406; h=content-transfer-encoding:mime-version:message-id:references :in-reply-to:subject:cc:to:from:date:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=wk+Bs9ohYmhDh+sYzezW1ptZVIJM4CvlAnXZAVAYYZ4=; b=cwnor5KkBVzTyLk+vs36LwMtVjM7JDaEGWiVcXIICLGZVKNBHidUk929mE270c+oLh vul4VuUofM/7gE93ZPOCo8cslpZd/1kabtXyk11gxruphAmWnJ7NQ/7gTL2kiMWCwLxJ lES2njRRjHtDwbE9b0xGy9xnPCqonTFrZwnDKXCfja2fFrETe1EPT8pVjUGJ5NcdAsmT 2Pq1dhSjiDRi2quj56wUPWgDk58hIkGlvoPxaUlCBRgjlEy+t/hH0efinZD/YPbD16QX fw3xZ4fMrPd689k1afbu44lBOyDFTRjx8V45DF7XBrkh7uwOn0G02iburNSUymsDUyy8 j5vw== X-Gm-Message-State: AOJu0YyLCINbfsnSgbXCeAd9pgB2Wc6LiwDuEIQO6w00JpfYGTMbtLm8 kvvkyoQvZescmrY31k0wHxM= X-Google-Smtp-Source: AGHT+IHH9dhdcUdH4GxWhKVeJlkr81IKMpnlOTLWLtr/iyiqMsD66oO7PSr1x06Ek6TFsEzOM5mESA== X-Received: by 2002:a05:6214:86:b0:67a:2b0b:c591 with SMTP id n6-20020a056214008600b0067a2b0bc591mr407214qvr.25.1700892605907; Fri, 24 Nov 2023 22:10:05 -0800 (PST) Received: from [127.0.0.1] ([188.113.129.102]) by smtp.gmail.com with ESMTPSA id f11-20020a056214076b00b0067a11cd4dbesm1277018qvz.65.2023.11.24.22.10.04 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 24 Nov 2023 22:10:05 -0800 (PST) Date: Sat, 25 Nov 2023 07:07:40 +0000 From: meow <[email protected]> To: Mark Hindley <[email protected]> CC: [email protected] Subject: Re: bug#805: openrc: supervise-daemon: missing PAM configuration In-Reply-To: <[email protected]> References: <[email protected]> <[email protected]> <[email protected]> <[email protected]> Message-ID: <[email protected]> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=----SSIQX2U6997IVQMT0EWOD81B7VFUCL Content-Transfer-Encoding: 7bit ------SSIQX2U6997IVQMT0EWOD81B7VFUCL Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Yes, you=E2=80=99re right, it should be included in the configuration file= =2E /etc/pam=2Ed/supervise-daemon: #%PAM-1=2E0 auth=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 req= uired=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 pam_permit=2Eso account=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 required=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 pam_permit=2Eso password=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 required=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0 pam_deny=2Eso session=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 optional=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 pam_limits=2Eso @include common-account @include common-session-noninteractive use 'common-*' incorrectly=2E we only need common-account and common-sessi= on-nonintetactive=2E this config should work well in debian=2E On November 24, 2023 6:16:10 PM UTC, Mark Hindley <mark@hindley=2Eorg=2Euk= > wrote: >Lorietta, > >On Fri, Nov 24, 2023 at 03:52:58AM +0000, meow wrote: >> Example: Local DoS attack due to lack of PAM limits=2E >> I think it=E2=80=99s safe to either include limits=2Eso in /etc/pam= =2E d/other, or >> add a configuration for supervise-daemon=2E >> Also, I have a question=2E What exactly is incompatible with debian = in >> the upstream version of this file? I added this file to my system an= d >> everything works well, limits are applied and supervise-daemon >> continues in normal mode=2E > >Debian uses pam-auth-update(8) to manage the addition of modules to >/etc/pam=2Ed/common-*=2E That will not work with the supplied upstream pa= m config=2E > >I am not a pam expert, but I *think* the Debian approach should be someth= ing >like > > >@include common-auth >@include common-account >@include common-password >session optional pam_limits=2Eso > >Does that work for you? > >Thanks > >Mark ------SSIQX2U6997IVQMT0EWOD81B7VFUCL Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable <html><head></head><body><div dir=3D"auto">Yes, you=E2=80=99re right, it sh= ould be included in the configuration file=2E<br><br>/etc/pam=2Ed/supervise= -daemon:<br>#%PAM-1=2E0<br><br>auth=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0 required=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 pam_permit=2Eso<br>account=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 required=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 pam_permit=2Eso<br>p= assword=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 required=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0 pam_deny=2Eso<br>session=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0 optional=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 pam_limits=2Eso<br>@include common-account<br>@include common-session-n= oninteractive<br><br>use 'common-*' incorrectly=2E we only need common-acco= unt and common-session-nonintetactive=2E<br>this config should work well in= debian=2E</div><br><br><div class=3D"gmail_quote"><div dir=3D"auto">On Nov= ember 24, 2023 6:16:10 PM UTC, Mark Hindley <mark@hindley=2Eorg=2Euk>= wrote:</div><blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt= 0=2E8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> <pre class=3D"k9mail"><div dir=3D"auto">Lorietta,<br><br>On Fri, Nov 24, 2= 023 at 03:52:58AM +0000, meow wrote:<br></div><blockquote class=3D"gmail_qu= ote" style=3D"margin: 0pt 0pt 1ex 0=2E8ex; border-left: 1px solid #729fcf; = padding-left: 1ex;"><div dir=3D"auto">Example: Local DoS attack due to lack= of PAM limits=2E<br>I think it=E2=80=99s safe to either include limits=2Es= o in /etc/pam=2E d/other, or<br>add a configuration for supervise-daemon=2E= <br>Also, I have a question=2E What exactly is incompatible with debian in<= br>the upstream version of this file? I added this file to my system and<br= >everything works well, limits are applied and supervise-daemon<br>continue= s in normal mode=2E<br></div></blockquote><div dir=3D"auto"><br>Debian uses= pam-auth-update(8) to manage the addition of modules to<br>/etc/pam=2Ed/co= mmon-*=2E That will not work with the supplied upstream pam config=2E<br><b= r>I am not a pam expert, but I *think* the Debian approach should be someth= ing<br>like<br><br><br>@include common-auth<br>@include common-account<br>@= include common-password<br>session optional pam_limits=2Eso<= br><br>Does that work for you?<br><br>Thanks<br><br>Mark<br></div></pre></b= lockquote></div></body></html> ------SSIQX2U6997IVQMT0EWOD81B7VFUCL--
meow <[email protected]>:[email protected].
Full text available.[email protected], [email protected]:bug#805; Package openrc.
Full text available.Received: (at 805) by bugs.devuan.org; 25 Nov 2023 05:52:36 +0000 Return-Path: <[email protected]> Delivered-To: [email protected] Received: from email.devuan.org [2a01:4f8:a0:3284::74ca:8ad2] by doc.devuan.org with IMAP (fetchmail-6.4.16) for <debbugs@localhost> (single-drop); Sat, 25 Nov 2023 05:52:36 +0000 (UTC) Received: from email.devuan.org by email.devuan.org with LMTP id uzQqMFWLYWXVUgAAmSBk0A (envelope-from <[email protected]>) for <[email protected]>; Sat, 25 Nov 2023 05:51:17 +0000 Received: by email.devuan.org (Postfix, from userid 109) id BA03C722; Sat, 25 Nov 2023 05:51:17 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on email.devuan.org X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2607:f8b0:4864:20::c42; helo=mail-oo1-xc42.google.com; [email protected]; receiver=<UNKNOWN> Received: from mail-oo1-xc42.google.com (mail-oo1-xc42.google.com [IPv6:2607:f8b0:4864:20::c42]) by email.devuan.org (Postfix) with ESMTPS id DC96B4CC for <[email protected]>; Sat, 25 Nov 2023 05:51:10 +0000 (UTC) Received: by mail-oo1-xc42.google.com with SMTP id 006d021491bc7-58ceabd7cdeso1359381eaf.3 for <[email protected]>; Fri, 24 Nov 2023 21:51:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1700891469; x=1701496269; darn=bugs.devuan.org; h=content-transfer-encoding:mime-version:message-id:references :in-reply-to:subject:cc:to:from:date:from:to:cc:subject:date :message-id:reply-to; bh=Xaw1jdODtUCt/v7hJ1CL9pjjOXTbi76369p4LTbFYaI=; b=lOD1Ei7ptfJ6Gn3Rx9DE/QHKQ6C4MnrnsJOvOyKiuF4pG4Hb+9cOOq5htqwo3UiG+t +KWvblV2k9BvJEDaOKjpdEp+ZheN9l12tnUlzTjaDSFPDFTjbpYHwCiZ7U5MSPi2PBe+ 6tkEemh//zpWCVpeVFbBJCmlHXYbgSSIvWn4X8cXvYXCcQM6rCivlZDTL2YDlDCI0PlG nAga6ncfgH80XZtvsPE2HwM3Vc+AtiT4scO8NHwZNCeB/CJEycfKzWwet/4AW2lvdMdW kKURNBslTvr2X8A+V1EReIB1MiVBnrpGwB4vX3Kj4DJUq8wvhAaDo24HAimRu3+ATFHO vUjw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700891469; x=1701496269; h=content-transfer-encoding:mime-version:message-id:references :in-reply-to:subject:cc:to:from:date:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Xaw1jdODtUCt/v7hJ1CL9pjjOXTbi76369p4LTbFYaI=; b=v1dygsqoh34EAA2J47TuclVOD3ycaM0KwV6rtlR97F0jmKgoYXvUgZU1ykXg301ral Sm0bUKIRKcj03lPMa7iBOqb50Tu3f3qaCfVFd+ZLh1gph4pvEb9jApCywU84PhheUvod i/Jc0x2KYkAnTtMg8Wbw5M+Rw4dfpVIu2Dr0dnNRHzA0GNR8l0XOh3Xnx2mMywk9yMsE plJBH1oXsCcDDC8U/Jv0ypQEECIVFihZOlmZvXhBSfPpN+Z32KMMbzr9UXGYDQxa1GbC AAIwOIfzwHKR/7MCqyYl4+AE3lyyM2LK8fYBajfOS6NwfyFNZTGagyElIRg8lYj3Vz05 TlQg== X-Gm-Message-State: AOJu0Yx++LuCzdT5uOu8vAkK/sCsU8FtThzvuVXGtma5IgD0gjpc2zUs ADsjhVK75tqnnAu/WdS2KaA= X-Google-Smtp-Source: AGHT+IGH/aD0Jfa7/HiAdz6+y3kmokI7HIC/b8pPWTrnZ/T6Myo9PUNg6ioPQECsM1HrfA7jG+C6fQ== X-Received: by 2002:a05:6820:16a9:b0:58d:54e8:56e7 with SMTP id bc41-20020a05682016a900b0058d54e856e7mr853425oob.0.1700891468752; Fri, 24 Nov 2023 21:51:08 -0800 (PST) Received: from [127.0.0.1] ([188.113.129.102]) by smtp.gmail.com with ESMTPSA id 124-20020a4a1782000000b0058d304dfc45sm610804ooe.20.2023.11.24.21.51.07 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 24 Nov 2023 21:51:08 -0800 (PST) Date: Sat, 25 Nov 2023 06:48:42 +0000 From: meow <[email protected]> To: Mark Hindley <[email protected]> CC: [email protected] Subject: Re: bug#805: openrc: supervise-daemon: missing PAM configuration In-Reply-To: <[email protected]> References: <[email protected]> <[email protected]> <[email protected]> <[email protected]> Message-ID: <[email protected]> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=----7KIZHX6G9ASO10J0UE769BVJ4N2TAJ Content-Transfer-Encoding: 7bit ------7KIZHX6G9ASO10J0UE769BVJ4N2TAJ Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Yes, you=E2=80=99re right, it should be included in the configuration file= =2E /etc/pam=2Ed/supervise-daemon: #%PAM-1=2E0 auth required pam_permit=2Eso account required pam_permit=2Eso password required pam_deny=2Eso session optional pam_limits=2Eso @include common-account @include common-session-nointeractive use 'common-*' incorrectly=2E we only need common-account and common-sessi= on-nointetactive=2E this config should work well in debian=2E On November 24, 2023 6:16:10 PM UTC, Mark Hindley <mark@hindley=2Eorg=2Euk= > wrote: >Lorietta, > >On Fri, Nov 24, 2023 at 03:52:58AM +0000, meow wrote: >> Example: Local DoS attack due to lack of PAM limits=2E >> I think it=E2=80=99s safe to either include limits=2Eso in /etc/pam= =2E d/other, or >> add a configuration for supervise-daemon=2E >> Also, I have a question=2E What exactly is incompatible with debian = in >> the upstream version of this file? I added this file to my system an= d >> everything works well, limits are applied and supervise-daemon >> continues in normal mode=2E > >Debian uses pam-auth-update(8) to manage the addition of modules to >/etc/pam=2Ed/common-*=2E That will not work with the supplied upstream pa= m config=2E > >I am not a pam expert, but I *think* the Debian approach should be someth= ing >like > > >@include common-auth >@include common-account >@include common-password >session optional pam_limits=2Eso > >Does that work for you? > >Thanks > >Mark ------7KIZHX6G9ASO10J0UE769BVJ4N2TAJ Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable <html><head></head><body><div dir=3D"auto">Yes, you=E2=80=99re right, it sh= ould be included in the configuration file=2E<br><br>/etc/pam=2Ed/supervise= -daemon:<br>#%PAM-1=2E0<br><br>auth=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0 required=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 pam_permit=2Eso<br>account=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 required=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 pam_permit=2Eso<br>p= assword=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 required=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0 pam_deny=2Eso<br>session=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0 optional=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 pam_limits=2Eso<br>@include common-account<br>@include common-session-n= ointeractive<br><br>use 'common-*' incorrectly=2E we only need common-accou= nt and common-session-nointetactive=2E<br>this config should work well in d= ebian=2E</div><br><br><div class=3D"gmail_quote"><div dir=3D"auto">On Novem= ber 24, 2023 6:16:10 PM UTC, Mark Hindley <mark@hindley=2Eorg=2Euk> w= rote:</div><blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0= =2E8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> <pre class=3D"k9mail"><div dir=3D"auto">Lorietta,<br><br>On Fri, Nov 24, 2= 023 at 03:52:58AM +0000, meow wrote:<br></div><blockquote class=3D"gmail_qu= ote" style=3D"margin: 0pt 0pt 1ex 0=2E8ex; border-left: 1px solid #729fcf; = padding-left: 1ex;"><div dir=3D"auto">Example: Local DoS attack due to lack= of PAM limits=2E<br>I think it=E2=80=99s safe to either include limits=2Es= o in /etc/pam=2E d/other, or<br>add a configuration for supervise-daemon=2E= <br>Also, I have a question=2E What exactly is incompatible with debian in<= br>the upstream version of this file? I added this file to my system and<br= >everything works well, limits are applied and supervise-daemon<br>continue= s in normal mode=2E<br></div></blockquote><div dir=3D"auto"><br>Debian uses= pam-auth-update(8) to manage the addition of modules to<br>/etc/pam=2Ed/co= mmon-*=2E That will not work with the supplied upstream pam config=2E<br><b= r>I am not a pam expert, but I *think* the Debian approach should be someth= ing<br>like<br><br><br>@include common-auth<br>@include common-account<br>@= include common-password<br>session optional pam_limits=2Eso<= br><br>Does that work for you?<br><br>Thanks<br><br>Mark<br></div></pre></b= lockquote></div></body></html> ------7KIZHX6G9ASO10J0UE769BVJ4N2TAJ--
meow <[email protected]>:[email protected].
Full text available.[email protected], [email protected]:bug#805; Package openrc.
Full text available.Received: (at 805) by bugs.devuan.org; 24 Nov 2023 18:16:32 +0000 Return-Path: <[email protected]> Delivered-To: [email protected] Received: from email.devuan.org [2a01:4f8:a0:3284::74ca:8ad2] by doc.devuan.org with IMAP (fetchmail-6.4.16) for <debbugs@localhost> (single-drop); Fri, 24 Nov 2023 18:16:32 +0000 (UTC) Received: from email.devuan.org by email.devuan.org with LMTP id FpL2BXHoYGUmEgAAmSBk0A (envelope-from <[email protected]>) for <[email protected]>; Fri, 24 Nov 2023 18:16:17 +0000 Received: by email.devuan.org (Postfix, from userid 109) id 07303722; Fri, 24 Nov 2023 18:16:16 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on email.devuan.org X-Spam-Level: X-Spam-Status: No, score=0.4 required=5.0 tests=RDNS_DYNAMIC,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=193.36.131.86; helo=mx.hindley.org.uk; [email protected]; receiver=<UNKNOWN> Received: from mx.hindley.org.uk (193-36-131-86.cfwn.uk [193.36.131.86]) by email.devuan.org (Postfix) with ESMTPS id 93A2C173 for <[email protected]>; Fri, 24 Nov 2023 18:16:12 +0000 (UTC) Received: from hindley.org.uk (apollo.hindleynet [192.168.1.3]) by mx.hindley.org.uk (Postfix) with SMTP id CA45AE0D; Fri, 24 Nov 2023 18:16:10 +0000 (GMT) Received: (nullmailer pid 15898 invoked by uid 1000); Fri, 24 Nov 2023 18:16:10 -0000 Date: Fri, 24 Nov 2023 18:16:10 +0000 From: Mark Hindley <[email protected]> To: meow <[email protected]> Cc: [email protected] Subject: Re: bug#805: openrc: supervise-daemon: missing PAM configuration Message-ID: <[email protected]> References: <[email protected]> <[email protected]> <[email protected]> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <[email protected]> Lorietta, On Fri, Nov 24, 2023 at 03:52:58AM +0000, meow wrote: > Example: Local DoS attack due to lack of PAM limits. > I think it’s safe to either include limits.so in /etc/pam. d/other, or > add a configuration for supervise-daemon. > Also, I have a question. What exactly is incompatible with debian in > the upstream version of this file? I added this file to my system and > everything works well, limits are applied and supervise-daemon > continues in normal mode. Debian uses pam-auth-update(8) to manage the addition of modules to /etc/pam.d/common-*. That will not work with the supplied upstream pam config. I am not a pam expert, but I *think* the Debian approach should be something like @include common-auth @include common-account @include common-password session optional pam_limits.so Does that work for you? Thanks Mark
Mark Hindley <[email protected]>:[email protected].
Full text available.[email protected], [email protected]:bug#805; Package openrc.
Full text available.Received: (at 805) by bugs.devuan.org; 24 Nov 2023 02:55:35 +0000 Return-Path: <[email protected]> Delivered-To: [email protected] Received: from email.devuan.org [2a01:4f8:a0:3284::74ca:8ad2] by doc.devuan.org with IMAP (fetchmail-6.4.16) for <debbugs@localhost> (single-drop); Fri, 24 Nov 2023 02:55:35 +0000 (UTC) Received: from email.devuan.org by email.devuan.org with LMTP id bqRMBqYQYGUaRAAAmSBk0A (envelope-from <[email protected]>) for <[email protected]>; Fri, 24 Nov 2023 02:55:34 +0000 Received: by email.devuan.org (Postfix, from userid 109) id 0FD74670; Fri, 24 Nov 2023 02:55:33 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on email.devuan.org X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2607:f8b0:4864:20::341; helo=mail-ot1-x341.google.com; [email protected]; receiver=<UNKNOWN> Received: from mail-ot1-x341.google.com (mail-ot1-x341.google.com [IPv6:2607:f8b0:4864:20::341]) by email.devuan.org (Postfix) with ESMTPS id 0404042 for <[email protected]>; Fri, 24 Nov 2023 02:55:27 +0000 (UTC) Received: by mail-ot1-x341.google.com with SMTP id 46e09a7af769-6d7fa93afe9so653799a34.2 for <[email protected]>; Thu, 23 Nov 2023 18:55:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1700794526; x=1701399326; darn=bugs.devuan.org; h=content-transfer-encoding:mime-version:message-id:references :in-reply-to:subject:to:from:date:from:to:cc:subject:date:message-id :reply-to; bh=nb1uebZL3ibCXh3ccD1Oj0WeXMJ7Tv5ia3IuDBWiIEU=; b=Xm55VP9rslV9pQiG7aFqBhIoBmDfedkgfnPnaLvqVUd9uQkugTOPHAYaSwTH2o/BvM ubwsqbnhHWYiJ1QbATTN+uNe06CGJqrrwxfgLUx0dXSKcj9CW9eqPumq5WdQk0oUO9mJ KnbVtFYGzGpCIN4wZN8OIli+tzpRgLX6Vl2QYdRDKnOptWvHJt7mlA6xBkcHC3485or7 Iu7wmwIv3DG5y+C29DYi2gL5WvkFy2Dn7MtLrKv6o4J0bhsabgaHfosv/iKi1PjW5slk Ym7duRVjGbCrBLF8X1lc08K3KCKwpN5WZlTWwPK2GxZvq2rLE7cajrCrSsRQza0avURb r/Bw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700794526; x=1701399326; h=content-transfer-encoding:mime-version:message-id:references :in-reply-to:subject:to:from:date:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=nb1uebZL3ibCXh3ccD1Oj0WeXMJ7Tv5ia3IuDBWiIEU=; b=By1XMkPlPCvhD+OHJMxfGKflBFsKo6mXvGiq1VIrRbJ791h+C4OvAMC9kpHFjki6gO 40ci75bipVazh1+J3bQSUkIWxUTE/CRIUNZvM2iHNH+ow1wAPzQOxEJ2MnP7L9/wG8MW e/zq41z4BmJfXaaqTlzQeR4qtmAo/R3X3IfRNL8XQo2IlFkxJKXx62HZoCzeceNapTWU IpqYdDeKHC+O/AgQo0Nhuagl3gqS30kE5b6ymSukU+2B4Etl6OzeCWkGYi2Kbg86fb5l M22dV8IpmCtwrH43SCt2s2Cf3B2ji9gjuyGsawvnFgZy0KnnqDU7fEzfZXR/YBTa2MMv eNFQ== X-Gm-Message-State: AOJu0YxDXJcC1mz9pR1NkGMhE8JTtQg8yikJ+CF7toRLKhLota2m32tK xUhN8r8UGYZlgTE5D1fJWP4= X-Google-Smtp-Source: AGHT+IFzYAEEwNcfceQhAXlJiX8/+Le7y+8ho+/2wfa0RImJCFjE4rkOp2gvsPPeaywxWAw638Paqg== X-Received: by 2002:a05:6870:f783:b0:1ea:c913:3494 with SMTP id fs3-20020a056870f78300b001eac9133494mr1876763oab.6.1700794525665; Thu, 23 Nov 2023 18:55:25 -0800 (PST) Received: from [127.0.0.1] ([188.113.129.102]) by smtp.gmail.com with ESMTPSA id h22-20020a9d6f96000000b006d7f02784eesm377953otq.34.2023.11.23.18.55.24 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 23 Nov 2023 18:55:25 -0800 (PST) Date: Fri, 24 Nov 2023 03:52:58 +0000 From: meow <[email protected]> To: Mark Hindley <[email protected]>, [email protected] Subject: Re: bug#805: openrc: supervise-daemon: missing PAM configuration In-Reply-To: <[email protected]> References: <[email protected]> <[email protected]> Message-ID: <[email protected]> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=----R67SIWYTQF25VNRC0YM7DLCD0STQ03 Content-Transfer-Encoding: 7bit ------R67SIWYTQF25VNRC0YM7DLCD0STQ03 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Example: Local DoS attack due to lack of PAM limits=2E I think it=E2=80=99s safe to either include limits=2Eso in /etc/pam=2E d/o= ther, or add a configuration for supervise-daemon=2E Also, I have a question=2E What exactly is incompatible with debian in the= upstream version of this file? I added this file to my system and everythi= ng works well, limits are applied and supervise-daemon continues in normal = mode=2E On November 23, 2023 7:55:34 PM UTC, Mark Hindley <mark@hindley=2Eorg=2Euk= > wrote: >Lorietta, > >Thanks > >On Thu, Nov 23, 2023 at 12:50:36AM +0000, meow wrote: >> Package: openrc >> X-Debbugs-Cc: lorietta2023@gmail=2Ecom >> Version: 0=2E45=2E2-2 >> Severity: grave >> Justification: user security hole >> Tags: security patch >> Dear Maintainer, >> the openrc package is missing the /etc/pam=2Ed/supervise-daemon file= =2E >> this file is in upstream=2E due to the absence of this file, setting= s >> from /etc/security are not applied to supervise-daemon, which can le= ad >> to very sad consequences=2E > >Are you sure that is true? What consequences specifically? > >Whilst you are correct that the upstream pam supervise-daemon is omitted,= it >isn't correct for a Debian based system=2E We would need a more tailored = pam >configuration=2E > >In addition, if there is no specific pam configuration, the fallback file >/etc/pam=2Ed/other is used > ># ># /etc/pam=2Ed/other - specify the PAM fallback behaviour ># ># Note that this file is used for any unspecified service; for example >#if /etc/pam=2Ed/cron specifies no session modules but cron calls >#pam_open_session, the session module out of /etc/pam=2Ed/other is >#used=2E If you really want nothing to happen then use pam_permit=2Eso o= r >#pam_deny=2Eso as appropriate=2E > ># We fall back to the system default in /etc/pam=2Ed/common-* >#=20 > >@include common-auth >@include common-account >@include common-password >@include common-session > >So, there maybe the optional pam_limits that is missing=2E > >Do you see anything else? > >Mark ------R67SIWYTQF25VNRC0YM7DLCD0STQ03 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable <html><head></head><body><div dir=3D"auto">Example: Local DoS attack due to= lack of PAM limits=2E<br>I think it=E2=80=99s safe to either include limit= s=2Eso in /etc/pam=2E d/other, or add a configuration for supervise-daemon= =2E<br>Also, I have a question=2E What exactly is incompatible with debian = in the upstream version of this file? I added this file to my system and ev= erything works well, limits are applied and supervise-daemon continues in n= ormal mode=2E</div><br><br><div class=3D"gmail_quote"><div dir=3D"auto">On = November 23, 2023 7:55:34 PM UTC, Mark Hindley <mark@hindley=2Eorg=2Euk&= gt; wrote:</div><blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt = 0pt 0=2E8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"= > <pre class=3D"k9mail"><div dir=3D"auto">Lorietta,<br><br>Thanks<br><br>On = Thu, Nov 23, 2023 at 12:50:36AM +0000, meow wrote:<br></div><blockquote cla= ss=3D"gmail_quote" style=3D"margin: 0pt 0pt 1ex 0=2E8ex; border-left: 1px s= olid #729fcf; padding-left: 1ex;"><div dir=3D"auto">Package: openrc<br>X-De= bbugs-Cc: lorietta2023@gmail=2Ecom<br>Version: 0=2E45=2E2-2<br>Severity: gr= ave<br>Justification: user security hole<br>Tags: security patch<br>Dear Ma= intainer,<br>the openrc package is missing the /etc/pam=2Ed/supervise-daemo= n file=2E<br>this file is in upstream=2E due to the absence of this file, s= ettings<br>from /etc/security are not applied to supervise-daemon, which ca= n lead<br>to very sad consequences=2E<br></div></blockquote><div dir=3D"aut= o"><br>Are you sure that is true? What consequences specifically?<br><br>Wh= ilst you are correct that the upstream pam supervise-daemon is omitted, it<= br>isn't correct for a Debian based system=2E We would need a more tailored= pam<br>configuration=2E<br><br>In addition, if there is no specific pam co= nfiguration, the fallback file<br>/etc/pam=2Ed/other is used<br><br>#<br># = /etc/pam=2Ed/other - specify the PAM fallback behaviour<br>#<br># Note that= this file is used for any unspecified service; for example<br>#if /etc/pam= =2Ed/cron specifies no session modules but cron calls<br>#pam_open_session= , the session module out of /etc/pam=2Ed/other is<br>#used=2E If you reall= y want nothing to happen then use pam_permit=2Eso or<br>#pam_deny=2Eso as a= ppropriate=2E<br><br># We fall back to the system default in /etc/pam=2Ed/c= ommon-*<br># <br><br>@include common-auth<br>@include common-account<br>@in= clude common-password<br>@include common-session<br><br>So, there maybe the= optional pam_limits that is missing=2E<br><br>Do you see anything else?<br= ><br>Mark<br></div></pre></blockquote></div></body></html> ------R67SIWYTQF25VNRC0YM7DLCD0STQ03--
meow <[email protected]>:[email protected].
Full text available.[email protected], [email protected]:bug#805; Package openrc.
Full text available.Received: (at 805) by bugs.devuan.org; 23 Nov 2023 19:57:04 +0000 Return-Path: <[email protected]> Delivered-To: [email protected] Received: from email.devuan.org [2a01:4f8:a0:3284::74ca:8ad2] by doc.devuan.org with IMAP (fetchmail-6.4.16) for <debbugs@localhost> (single-drop); Thu, 23 Nov 2023 19:57:04 +0000 (UTC) Received: from email.devuan.org by email.devuan.org with LMTP id 9N2sMz+uX2W7HAAAmSBk0A (envelope-from <[email protected]>) for <[email protected]>; Thu, 23 Nov 2023 19:55:43 +0000 Received: by email.devuan.org (Postfix, from userid 109) id C95F1670; Thu, 23 Nov 2023 19:55:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on email.devuan.org X-Spam-Level: X-Spam-Status: No, score=0.4 required=5.0 tests=RDNS_DYNAMIC,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=193.36.131.86; helo=mx.hindley.org.uk; [email protected]; receiver=<UNKNOWN> Received: from mx.hindley.org.uk (193-36-131-86.cfwn.uk [193.36.131.86]) by email.devuan.org (Postfix) with ESMTPS id D30ED59 for <[email protected]>; Thu, 23 Nov 2023 19:55:38 +0000 (UTC) Received: from hindley.org.uk (apollo.hindleynet [192.168.1.3]) by mx.hindley.org.uk (Postfix) with SMTP id 74E2115A7; Thu, 23 Nov 2023 19:55:34 +0000 (GMT) Received: (nullmailer pid 29654 invoked by uid 1000); Thu, 23 Nov 2023 19:55:34 -0000 Date: Thu, 23 Nov 2023 19:55:34 +0000 From: Mark Hindley <[email protected]> To: meow <[email protected]>, [email protected] Subject: Re: bug#805: openrc: supervise-daemon: missing PAM configuration Message-ID: <[email protected]> References: <[email protected]> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <[email protected]> X-Debbugs-No-Ack: No Thanks Lorietta, Thanks On Thu, Nov 23, 2023 at 12:50:36AM +0000, meow wrote: > Package: openrc > X-Debbugs-Cc: [email protected] > Version: 0.45.2-2 > Severity: grave > Justification: user security hole > Tags: security patch > Dear Maintainer, > the openrc package is missing the /etc/pam.d/supervise-daemon file. > this file is in upstream. due to the absence of this file, settings > from /etc/security are not applied to supervise-daemon, which can lead > to very sad consequences. Are you sure that is true? What consequences specifically? Whilst you are correct that the upstream pam supervise-daemon is omitted, it isn't correct for a Debian based system. We would need a more tailored pam configuration. In addition, if there is no specific pam configuration, the fallback file /etc/pam.d/other is used # # /etc/pam.d/other - specify the PAM fallback behaviour # # Note that this file is used for any unspecified service; for example #if /etc/pam.d/cron specifies no session modules but cron calls #pam_open_session, the session module out of /etc/pam.d/other is #used. If you really want nothing to happen then use pam_permit.so or #pam_deny.so as appropriate. # We fall back to the system default in /etc/pam.d/common-* # @include common-auth @include common-account @include common-password @include common-session So, there maybe the optional pam_limits that is missing. Do you see anything else? Mark
[email protected], [email protected]:bug#805; Package openrc.
Full text available.Received: (at submit) by bugs.devuan.org; 23 Nov 2023 00:00:02 +0000 Return-Path: <[email protected]> Delivered-To: [email protected] Received: from email.devuan.org [2a01:4f8:a0:3284::74ca:8ad2] by doc.devuan.org with IMAP (fetchmail-6.4.16) for <debbugs@localhost> (single-drop); Thu, 23 Nov 2023 00:00:02 +0000 (UTC) Received: from email.devuan.org by email.devuan.org with LMTP id /FCsB2aUXmVpKQAAmSBk0A (envelope-from <[email protected]>) for <[email protected]>; Wed, 22 Nov 2023 23:53:10 +0000 Received: by email.devuan.org (Postfix, from userid 109) id 1474C679; Wed, 22 Nov 2023 23:53:10 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on email.devuan.org X-Spam-Level: *** X-Spam-Status: No, score=3.5 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_SBL_CSS,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2607:f8b0:4864:20::242; helo=mail-oi1-x242.google.com; [email protected]; receiver=<UNKNOWN> Received: from mail-oi1-x242.google.com (mail-oi1-x242.google.com [IPv6:2607:f8b0:4864:20::242]) by email.devuan.org (Postfix) with ESMTPS id 4A62559 for <[email protected]>; Wed, 22 Nov 2023 23:53:04 +0000 (UTC) Received: by mail-oi1-x242.google.com with SMTP id 5614622812f47-3b8400b5de0so238961b6e.3 for <[email protected]>; Wed, 22 Nov 2023 15:53:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1700697182; x=1701301982; darn=bugs.devuan.org; h=content-transfer-encoding:mime-version:message-id:subject:to:from :date:from:to:cc:subject:date:message-id:reply-to; bh=0U8dUqhA1AxeKP2XkSSuwV1B75kNZhWhL4+hA/pLrHg=; b=m+Y9S36x20sFi20VS84TNaM9AcW13P6iV+XIn7TkbcS4VMLCv1VRslhiv4wKQDCisV T0ksnWra969gQxcTGdm+IRM6is5MYljTAcEEo4L8N9XEpH24Uwv+YymQnWD2OW+3Gf6B Z9/4j3lThdAWdpIM3V24cywwqD9D+9K3LVXohmKX9DtveSXm1DqUMnOSvKfDNzYwsF8c Vb+y0Xpi3oiSAjwWFsvfh9AxN2VkBB8rL4dViOeT4JYATGtfWrFI2HM3OrSnD9zNaywO VoOQmID7YqcSB37dKrwi3RMFZet+g6Uw3S5DG9jqiKOFJCzpsPOU9hAK2R6CYbVqDMPS DZiw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700697182; x=1701301982; h=content-transfer-encoding:mime-version:message-id:subject:to:from :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=0U8dUqhA1AxeKP2XkSSuwV1B75kNZhWhL4+hA/pLrHg=; b=pOYYoFDYihhKRJfpkSZBvDai2E6o6HtrI7J+WbpHzQP/zL5EHMX5Plz9zUwqWZRx8U kfVRV5iEVhkEm+Mh8p+vVcHmg3s5OTokQMrjeIwT2D1OLyUqaJInxP+SZHNqxtu1WUGs +cc9Tb7d6crJCDl6ffNbjf9rQt2wjpRbcfrJqv5rt7N6t0N7fYX49Z1ONmZN8nr3IcCk IlCarsdJiuy1bzspaVvw+u+H0eRlAze7heXM/KSKc+AFZjshyigj+VUy0j/+r/JG03tM EAlxz6Xwd5IC+OJnYOsV3LSnXjxQRTWcvZdoUL4sqZg7FjM1YIzScAhJxpYB7kdVOVUQ t2gA== X-Gm-Message-State: AOJu0YwHil/atPERmYpUYuBu188iZh1K0E1ffZxNA7DpGUjGFZByNsWt PFPNadrux0GXmehnUm6Gbyntv545N+kifw== X-Google-Smtp-Source: AGHT+IFxpxuLJVTCV/bBxrv3KryGEslqiR0/gwVQvqf+dM6gwxox2by1V770ksThib6Or9FNuOJUvQ== X-Received: by 2002:a05:6808:169e:b0:3b5:84b0:6be6 with SMTP id bb30-20020a056808169e00b003b584b06be6mr5419972oib.47.1700697181732; Wed, 22 Nov 2023 15:53:01 -0800 (PST) Received: from [127.0.0.1] ([188.113.129.102]) by smtp.gmail.com with ESMTPSA id a6-20020a056808128600b003b83c13c570sm17268oiw.16.2023.11.22.15.53.00 for <[email protected]> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 22 Nov 2023 15:53:01 -0800 (PST) Date: Thu, 23 Nov 2023 00:50:36 +0000 From: meow <[email protected]> To: [email protected] Subject: openrc: supervise-daemon: missing PAM configuration Message-ID: <[email protected]> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=----OJMSDHN9AM3A4DH0R9PBFVNV2N8W87 Content-Transfer-Encoding: 7bit ------OJMSDHN9AM3A4DH0R9PBFVNV2N8W87 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Package: openrc X-Debbugs-Cc: lorietta2023@gmail=2Ecom Version: 0=2E45=2E2-2 Severity: grave Justification: user security hole Tags: security patch Dear Maintainer, the openrc package is missing the /etc/pam=2Ed/supervise-daemon file=2E=20 this file is in upstream=2E due to the absence of this file, settings from= /etc/security are not applied to supervise-daemon, which can lead to very = sad consequences=2E solution: include in the 'openrc' package the file '/etc/pam=2Ed/supervise= -daemon' with the following content: #%PAM-1=2E0 auth required pam_permit=2Eso account required pam_permit=2Eso password required pam_deny=2Eso session optional pam_limits=2Eso upstream: https://github=2Ecom/OpenRC/openrc/blob/master/src/supervise-dae= mon/supervise-daemon=2Epam -- System Information: Distributor ID: Devuan Description: Devuan GNU/Linux 5 (daedalus) Release: 5 Codename: daedalus Architecture: x86_64 Kernel: Linux 6=2E1=2E0-13-amd64 (SMP w/6 CPU threads; PREEMPT) Kernel taint flags: TAINT_OOT_MODULE Locale: LANG=3Den_US=2EUTF-8, LC_CTYPE=3Den_US=2EUTF-8 (charmap=3DUTF-8), = LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: OpenRC (via /run/openrc) Versions of packages openrc depends on: ii insserv 1=2E24=2E0-1 ii libaudit1 1:3=2E0=2E9-1 ii libc6 2=2E36-9+deb12u3 ii libeinfo1 0=2E45=2E2-2 ii libpam0g 1=2E5=2E2-6+deb12u1 ii librc1 0=2E45=2E2-2 ii libselinux1 3=2E4-1+b6 openrc recommends no packages=2E Versions of packages openrc suggests: pn policycoreutils <none> pn sysvinit-core <none> -- Configuration Files: /etc/init=2Ed/agetty [Errno 13] Permission denied: '/etc/init=2Ed/agetty' /etc/init=2Ed/cgroups [Errno 13] Permission denied: '/etc/init=2Ed/cgroups= ' /etc/init=2Ed/rc [Errno 13] Permission denied: '/etc/init=2Ed/rc' /etc/init=2Ed/rcS [Errno 13] Permission denied: '/etc/init=2Ed/rcS' /etc/init=2Ed/savecache [Errno 13] Permission denied: '/etc/init=2Ed/savec= ache' /etc/rc=2Econf changed [not included] -- no debconf information ------OJMSDHN9AM3A4DH0R9PBFVNV2N8W87 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable <!DOCTYPE html><html><body><div dir=3D"auto">Package: openrc<br>X-Debbugs-C= c: lorietta2023@gmail=2Ecom<br>Version: 0=2E45=2E2-2<br>Severity: grave<br>= Justification: user security hole<br>Tags: security patch<br><br>Dear Maint= ainer,<br>the openrc package is missing the /etc/pam=2Ed/supervise-daemon f= ile=2E <br>this file is in upstream=2E due to the absence of this file, set= tings from /etc/security are not applied to supervise-daemon, which can lea= d to very sad consequences=2E<br><br>solution: include in the 'openrc' pack= age the file '/etc/pam=2Ed/supervise-daemon' with the following content:<br= >#%PAM-1=2E0<br>auth required pam_permit=2Eso<br>account required pam_permi= t=2Eso<br>password required pam_deny=2Eso<br>session optional pam_limits=2E= so<br><br>upstream: <a href=3D"https://github=2Ecom/OpenRC/openrc/blob/mast= er/src/supervise-daemon/supervise-daemon=2Epam">https://github=2Ecom/OpenRC= /openrc/blob/master/src/supervise-daemon/supervise-daemon=2Epam</a><br><br>= -- System Information:<br>Distributor ID: Devuan<br>Description: Devuan GNU= /Linux 5 (daedalus)Release: 5<br>Codename: daedalus<br>Architecture: x86_64= <br>Kernel: Linux 6=2E1=2E0-13-amd64 (SMP w/6 CPU threads; PREEMPT)<br>Kern= el taint flags: TAINT_OOT_MODULE<br>Locale: LANG=3Den_US=2EUTF-8, LC_CTYPE= =3Den_US=2EUTF-8 (charmap=3DUTF-8), LANGUAGE not set<br>Shell: /bin/sh link= ed to /bin/dash<br>Init: OpenRC (via /run/openrc)<br><br>Versions of packag= es openrc depends on:<br>ii=C2=A0 insserv=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 1= =2E24=2E0-1<br>ii=C2=A0 libaudit1=C2=A0=C2=A0=C2=A0 1:3=2E0=2E9-1<br>ii=C2= =A0 libc6=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 2=2E36-9+deb12u3<br>ii= =C2=A0 libeinfo1=C2=A0=C2=A0=C2=A0 0=2E45=2E2-2<br>ii=C2=A0 libpam0g=C2=A0= =C2=A0=C2=A0=C2=A0 1=2E5=2E2-6+deb12u1<br>ii=C2=A0 librc1=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 0=2E45=2E2-2<br>ii=C2=A0 libselinux1=C2=A0 3=2E4-1+b6<br= ><br>openrc recommends no packages=2E<br><br>Versions of packages openrc su= ggests:<br>pn=C2=A0 policycoreutils=C2=A0 <none><br>pn=C2=A0 sysvinit= -core=C2=A0=C2=A0=C2=A0 <none><br><br>-- Configuration Files:<br>/etc= /init=2Ed/agetty [Errno 13] Permission denied: '/etc/init=2Ed/agetty'<br>/e= tc/init=2Ed/cgroups [Errno 13] Permission denied: '/etc/init=2Ed/cgroups'<b= r>/etc/init=2Ed/rc [Errno 13] Permission denied: '/etc/init=2Ed/rc'<br>/etc= /init=2Ed/rcS [Errno 13] Permission denied: '/etc/init=2Ed/rcS'<br>/etc/ini= t=2Ed/savecache [Errno 13] Permission denied: '/etc/init=2Ed/savecache'<br>= /etc/rc=2Econf changed [not included]<br><br>-- no debconf information</div= ></body></html> ------OJMSDHN9AM3A4DH0R9PBFVNV2N8W87--
meow <[email protected]>:[email protected], [email protected].
Full text available.[email protected], [email protected], [email protected]:bug#805; Package openrc.
Full text available.Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.
Devuan Bugs Owner <[email protected]>.
Last modified:
Sat, 30 Nov 2024 22:39:01 UTC