Bug 1745136

Summary: no support for UID_MIN in /etc/login.defs
Product: [Fedora] Fedora Reporter: Terje Røsten <terje.rosten>
Component: authselectAssignee: Pavel Březina <pbrezina>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 30CC: edgar.hoch, jhrozek, pbrezina, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: authselect-1.2-1.fc32 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1773567 (view as bug list) Environment:
Last Closed: 2020-03-31 00:15:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1773567    

Description Terje Røsten 2019-08-23 16:50:53 UTC 
Description of problem:

Seems like this bug from authconfig is repeated in authselect:

 https://bugzilla.redhat.com/show_bug.cgi?id=717112

Setting UID_MIN in /etc/login.defs dont propagate to /etc/pam.d/password-auth
and /etc/pam.d/system-auth after run of authselect.

Please add this feature.
Comment 1 Pavel Březina 2019-09-16 08:06:52 UTC 
Upstream ticket:
https://github.com/pbrezina/authselect/issues/182
Comment 2 Pavel Březina 2019-10-02 12:50:52 UTC 
Thinking about this, I do not think that authselect (or authconfig) is the correct place for this. Everytime /etc/login.defs is changed authselect would have to be called again in order to regenerate the pam stack with updated value.

Better solution would be to add a new feature to pam_succeed_if that would read the value from login.defs and use it. Something like:
pam_succeed_if.so uid >= UID_MIN

Tomas, what do you think? I could do the coding, but I want to know your opinion.
Comment 3 Tomas Mraz 2019-10-02 13:22:59 UTC 
It seems to me to be a little feature creep for pam_succeed_if.so. Maybe a better solution would be a new module - something like pam_usertype.so

It could have options like: "isregular" - if uid within UID_MIN and MAX, "issystem" - within SYS_UID_MIN SYS_UID_MAX. And "notregular" "notsystem" for inverted test. It could also support "use_uid" option similarly to pam_succeed_if.
Comment 4 Pavel Březina 2019-10-03 09:06:57 UTC 
Why not do this as part of pam_succeed_if?
Comment 5 Tomas Mraz 2019-10-03 10:19:15 UTC 
Because by adding reading of login.defs it would be overstretching its purpose.
Comment 6 Pavel Březina 2019-10-03 10:35:58 UTC 
From man page: "pam_succeed_if.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated"

It fits perfectly for "user isregular" and "user issystem" conditions. Besides the new module would share the whole code with pam_succeed_if because the logic and purpose is the same just the available conditions would be different.
Comment 7 Tomas Mraz 2019-10-03 10:43:02 UTC 
(In reply to Pavel Březina from comment #6)

> It fits perfectly for "user isregular" and "user issystem" conditions.
> Besides the new module would share the whole code with pam_succeed_if
> because the logic and purpose is the same just the available conditions
> would be different.

Not really. If these are just options, there would not be much code shared except for the usual PAM module boilerplate.

With my upstream hat on I really dislike adding this to pam_succeed_if.
Comment 8 Pavel Březina 2019-10-03 11:00:32 UTC 
Ok. Thank you for your opinion. I will write the new module.
Comment 9 Pavel Březina 2020-01-14 11:59:44 UTC 
linux-pam PR: https://github.com/linux-pam/linux-pam/pull/166
Comment 10 Pavel Březina 2020-02-17 10:56:17 UTC 
* `master`
  * 4cfb20423ca9a3e9b2b3de627b751e61fb0cf560 - profiles: switch uid checks to pam_usertype
Comment 11 Fedora Update System 2020-03-04 12:09:51 UTC 
FEDORA-2020-9f8d3d996d has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-9f8d3d996d
Comment 12 Fedora Update System 2020-03-04 20:15:13 UTC 
authselect-1.2-1.fc32 has been pushed to the Fedora 32 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-9f8d3d996d
Comment 13 Fedora Update System 2020-03-17 09:03:54 UTC 
FEDORA-2020-9f8d3d996d has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-9f8d3d996d
Comment 14 Fedora Update System 2020-03-18 02:38:02 UTC 
authselect-1.2-1.fc32 has been pushed to the Fedora 32 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-9f8d3d996d
Comment 15 Fedora Update System 2020-03-31 00:15:52 UTC 
FEDORA-2020-9f8d3d996d has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.