Merge pull request #166 from grondo/debian-enable-pam

build: enable PAM in `make deb`
flux-framework · May 10, 2023 · 2c4115b · 2c4115b
2 parents 4df3d8b + d4f48cc
commit 2c4115b
Show file tree

Hide file tree

Showing 6 changed files with 41 additions and 17 deletions.
diff --git a/README.md b/README.md
@@ -5,17 +5,19 @@ Independent project for Flux security code and APIs.
 
 flux-security requires the following packages to build:
 
-**redhat**	| **ubuntu**		| **version**
-----------	| ----------		| -----------
-autoconf	| autoconf		|
-automake	| automake		|
-libtool		| libtool		|
-make		| make			|
-pkgconfig	| pkg-config	|
-libsodium-devel	| libsodium-dev		| >= 1.0.14
-jansson-devel	| libjansson-dev	|
-libuuid-devel	| uuid-dev		|
-munge-devel	| libmunge-dev		|
+**redhat**	| **ubuntu**		| **version** | **notes**
+----------	| ----------		| ----------- | ---------
+autoconf	| autoconf		|             |
+automake	| automake		|             |
+libtool		| libtool		|             |
+make		| make			|             |
+pkgconfig	| pkg-config	        |             |
+libsodium-devel	| libsodium-dev		| >= 1.0.14   |
+jansson-devel	| libjansson-dev	|             |
+libuuid-devel	| uuid-dev		|             |
+munge-devel	| libmunge-dev		|             |
+pam-devel	| libpam0g-dev		|             | for --enable-pam
+
 
 ##### Installing RedHat/CentOS Packages
 ```

diff --git a/debian/control b/debian/control
@@ -8,7 +8,8 @@ Build-Depends:
   libsodium-dev,
   libjansson-dev,
   uuid-dev,
-  libmunge-dev
+  libmunge-dev,
+  libpam0g-dev
 
 Homepage: https://github.com/flux-framework/flux-security
 Package: flux-security

diff --git a/debian/rules b/debian/rules
@@ -19,6 +19,10 @@
 override_dh_autoreconf:
 	@echo not running autogen.sh on dist product
 
+override_dh_auto_configure:
+	dh_auto_configure -- \
+                --enable-pam
+
 override_dh_auto_install:
 	dh_auto_install
 	find . -name '*.la' -delete

diff --git a/doc/requirements.txt b/doc/requirements.txt
@@ -2,3 +2,4 @@ sphinx==3.4.3
 sphinx-rtd-theme>=0.5.2
 docutils>=0.14,<0.18
 Jinja2<3.1
+urllib3<2
diff --git a/src/imp/exec/exec.c b/src/imp/exec/exec.c
@@ -99,13 +99,11 @@ static bool imp_exec_unprivileged_allowed (struct imp_exec *exec)
 }
 
 
-#if HAVE_PAM
 /* Check for PAM support, but default to not using PAM for now.
  */
 static bool imp_supports_pam (struct imp_exec *exec) {
     return cf_bool (cf_get_in (exec->conf, "pam-support"));
 }
-#endif
 
 static void imp_exec_destroy (struct imp_exec *exec)
 {
@@ -301,14 +299,18 @@ int imp_exec_privileged (struct imp_state *imp, struct kv *kv)
     if (privsep_wait (imp->ps) < 0)
         exit (1);
 
-#if HAVE_PAM
     /* Call privileged IMP plugins/containment */
     if (imp_supports_pam (exec)) {
+#if HAVE_PAM
         struct passwd *user_pwd = passwd_from_uid (exec->userid);
         if (pam_setup (user_pwd->pw_name) < 0)
             imp_die (1, "exec: PAM stack failure");
-    }
+#else
+        imp_die (1,
+                 "exec: pam-support=true, but IMP was built without "
+                 "--enable-pam");
 #endif /* HAVE_PAM */
+    }
 
     /* Block signals so parent IMP isn't unduly terminated */
     sigblock_all ();

diff --git a/t/t2000-imp-exec.t b/t/t2000-imp-exec.t
@@ -59,7 +59,7 @@ test_expect_success 'create configs for flux-imp exec and signer' '
 	allowed-shells = [ "id", "echo", "$(pwd)/sleeper.sh" ]
 	allow-unprivileged-exec = true
 	EOF
-	cat <<-EOF >sign-none-allowed-munge.toml
+	cat <<-EOF >sign-none-allowed-munge.toml &&
 	allow-sudo = true
 	[sign]
 	max-ttl = 30
@@ -70,6 +70,10 @@ test_expect_success 'create configs for flux-imp exec and signer' '
 	allowed-shells = [ "id", "echo" ]
 	allow-unprivileged-exec = true
 	EOF
+	cp sign-none.toml pam-test.toml &&
+	cat <<-EOF >>pam-test.toml
+	pam-support = true
+	EOF
 '
 test_expect_success 'flux-imp exec fails in unprivileged mode by default' '
 	( export FLUX_IMP_CONFIG_PATTERN=no-unpriv-exec.toml  &&
@@ -174,4 +178,14 @@ test_expect_success SUDO,NO_CHAIN_LINT 'flux-imp exec: setuid IMP lingers' '
 	kill -TERM $pid &&
 	wait
 '
+$flux_imp version | grep -q pam || test_set_prereq NO_PAM
+test_expect_success NO_PAM,SUDO 'flux-imp exec: fails if not built with PAM but pam-support=true' '
+	( export FLUX_IMP_CONFIG_PATTERN=pam-test.toml &&
+	  fake_imp_input foo | \
+		test_must_fail $SUDO FLUX_IMP_CONFIG_PATTERN=pam-test.toml \
+			$flux_imp exec echo ok > pam-err.out 2>&1
+	) &&
+	test_debug "cat pam-err.out" &&
+	grep "IMP was built without --enable-pam" pam-err.out
+'
 test_done