sys-auth/pambase: Fall back to pam_deny in auth

Setting pam_unix and pam_sss to sufficient means that if both fail, control will be passed to the following pam module. If this is pam_permit then permission will be granted even if the previous modules failed. Switch to pam_deny and require it rather than permitting it to be optional - if sss or unix succeed, we'll jump out before we get to this point.
2025-08-24 16:01:09 +02:00 · 2016-05-15 21:04:25 -07:00 · 2016-05-15 21:04:25 -07:00 · 3865f77ecd
commit 3865f77ecd
parent 4a94f04736
2 changed files with 17 additions and 13 deletions
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/files/pambase-20120417-sssd.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/files/pambase-20120417-sssd.patch
@ -1,7 +1,7 @@
-diff -ur pambase-20140313.orig/system-auth.in pambase-20140313/system-auth.in
+diff -ur pambase-20120417.orig/system-auth.in pambase-20120417/system-auth.in
--- pambase-20140313.orig/system-auth.in	2014-03-13 07:13:15.000000000 -0700
+--- pambase-20120417.orig/system-auth.in	2016-05-15 21:01:29.705547981 -0700
-+++ pambase-20140313/system-auth.in	2016-05-02 12:57:35.437730031 -0700
+++ pambase-20120417/system-auth.in	2016-05-15 21:03:08.134220108 -0700
-@@ -7,7 +7,8 @@
+@@ -7,14 +7,16 @@
 #if HAVE_KRB5
 auth		KRB5_CONTROL	pam_krb5.so KRB5_PARAMS
 #endif
@ -9,17 +9,18 @@ diff -ur pambase-20140313.orig/system-auth.in pambase-20140313/system-auth.in
 +auth		sufficient	pam_sss.so use_first_pass
 +auth		sufficient	pam_unix.so try_first_pass LIKEAUTH nullok DEBUG
 /* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */
- auth		optional	pam_permit.so
+-auth		optional	pam_permit.so
 +auth		required	pam_deny.so
-@@ -16,6 +17,7 @@
+ #if HAVE_KRB5
 account		KRB5_CONTROL	pam_krb5.so KRB5_PARAMS
 #endif
 account		required	pam_unix.so DEBUG
 /* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */
 +account		sufficient	pam_sss.so
 /* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */
 account		optional	pam_permit.so
- #if HAVE_CRACKLIB
+@@ -27,9 +29,10 @@
@@ -27,7 +29,8 @@
 #if HAVE_KRB5
 password	KRB5_CONTROL	pam_krb5.so KRB5_PARAMS
 #endif
@ -27,11 +28,14 @@ diff -ur pambase-20140313.orig/system-auth.in pambase-20140313/system-auth.in
 +password	sufficient	pam_unix.so try_first_pass UNIX_AUTHTOK nullok UNIX_EXTENDED_ENCRYPTION DEBUG
 +password	sufficient	pam_sss.so use_authtok
 /* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */
- password	optional	pam_permit.so
+-password	optional	pam_permit.so
 +password	required	pam_deny.so
-diff -ur pambase-20140313.orig/system-session.inc pambase-20140313/system-session.inc
+ #if HAVE_PAM_SSH
--- pambase-20140313.orig/system-session.inc	2014-03-13 07:13:15.000000000 -0700
+ session		optional	pam_ssh.so
-+++ pambase-20140313/system-session.inc	2016-05-02 12:57:59.723883487 -0700
+diff -ur pambase-20120417.orig/system-session.inc pambase-20120417/system-session.inc
 --- pambase-20120417.orig/system-session.inc	2012-03-20 11:10:47.000000000 -0700
 +++ pambase-20120417/system-session.inc	2016-05-15 21:02:00.151753215 -0700
@@ -23,3 +23,4 @@
 #endif
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/pambase-20120417-r6.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/pambase-20120417-r6.ebuild