From 9117a0c979a20a1e4519f288aaba7777b592522e Mon Sep 17 00:00:00 2001 From: "Mark A. Grondona" Date: Wed, 3 May 2023 16:01:58 -0700 Subject: [PATCH 1/5] README.md: add PAM development package requirements Problem: The PAM development package is missing from the list of requirements in the README. Add the missing requirement. Add a new column to the table to note that PAM is only required for --enable-pam support. --- README.md | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 69fb53be..7ec0788b 100644 --- a/README.md +++ b/README.md @@ -5,17 +5,19 @@ Independent project for Flux security code and APIs. flux-security requires the following packages to build: -**redhat** | **ubuntu** | **version** ----------- | ---------- | ----------- -autoconf | autoconf | -automake | automake | -libtool | libtool | -make | make | -pkgconfig | pkg-config | -libsodium-devel | libsodium-dev | >= 1.0.14 -jansson-devel | libjansson-dev | -libuuid-devel | uuid-dev | -munge-devel | libmunge-dev | +**redhat** | **ubuntu** | **version** | **notes** +---------- | ---------- | ----------- | --------- +autoconf | autoconf | | +automake | automake | | +libtool | libtool | | +make | make | | +pkgconfig | pkg-config | | +libsodium-devel | libsodium-dev | >= 1.0.14 | +jansson-devel | libjansson-dev | | +libuuid-devel | uuid-dev | | +munge-devel | libmunge-dev | | +pam-devel | libpam0g-dev | | for --enable-pam + ##### Installing RedHat/CentOS Packages ``` From ee78d8f4fdca3e7c585e124604d5d56ac9805a0c Mon Sep 17 00:00:00 2001 From: "Mark A. Grondona" Date: Wed, 3 May 2023 16:03:20 -0700 Subject: [PATCH 2/5] imp: exec: issue error if pam-support used without --enable-pam Problem: The IMP silently ignores `exec.pam-support = true` in the config file when flux-security was not built with --enable-pam. This can lead to confusion or worse if an admin erroneously thinks PAM support is working when it is not. Generate a fatal error if `exec.pam-support` is enabled when the IMP is not built with --enable-pam. --- src/imp/exec/exec.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/imp/exec/exec.c b/src/imp/exec/exec.c index 24e3f112..70dc25e9 100644 --- a/src/imp/exec/exec.c +++ b/src/imp/exec/exec.c @@ -99,13 +99,11 @@ static bool imp_exec_unprivileged_allowed (struct imp_exec *exec) } -#if HAVE_PAM /* Check for PAM support, but default to not using PAM for now. */ static bool imp_supports_pam (struct imp_exec *exec) { return cf_bool (cf_get_in (exec->conf, "pam-support")); } -#endif static void imp_exec_destroy (struct imp_exec *exec) { @@ -301,14 +299,18 @@ int imp_exec_privileged (struct imp_state *imp, struct kv *kv) if (privsep_wait (imp->ps) < 0) exit (1); -#if HAVE_PAM /* Call privileged IMP plugins/containment */ if (imp_supports_pam (exec)) { +#if HAVE_PAM struct passwd *user_pwd = passwd_from_uid (exec->userid); if (pam_setup (user_pwd->pw_name) < 0) imp_die (1, "exec: PAM stack failure"); - } +#else + imp_die (1, + "exec: pam-support=true, but IMP was built without " + "--enable-pam"); #endif /* HAVE_PAM */ + } /* Block signals so parent IMP isn't unduly terminated */ sigblock_all (); From c694cfdae234b3da9de9e5ef252af41e309104b6 Mon Sep 17 00:00:00 2001 From: "Mark A. Grondona" Date: Wed, 3 May 2023 16:06:56 -0700 Subject: [PATCH 3/5] debian: build with --enable-pam Problem: The debian package generated by `make deb` does not include support for PAM. Add the --enable-pam option to configure and add libpam0g-dev as a requesite package so that the packaged flux-security has support for PAM. --- debian/control | 3 ++- debian/rules | 4 ++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 648176d6..bcd41040 100644 --- a/debian/control +++ b/debian/control @@ -8,7 +8,8 @@ Build-Depends: libsodium-dev, libjansson-dev, uuid-dev, - libmunge-dev + libmunge-dev, + libpam0g-dev Homepage: https://github.com/flux-framework/flux-security Package: flux-security diff --git a/debian/rules b/debian/rules index 961f78bd..eb08533b 100755 --- a/debian/rules +++ b/debian/rules @@ -19,6 +19,10 @@ override_dh_autoreconf: @echo not running autogen.sh on dist product +override_dh_auto_configure: + dh_auto_configure -- \ + --enable-pam + override_dh_auto_install: dh_auto_install find . -name '*.la' -delete From 8f16f2a3cd9671158146cabb71ca5bbbd30c2483 Mon Sep 17 00:00:00 2001 From: "Mark A. Grondona" Date: Thu, 4 May 2023 07:20:23 -0700 Subject: [PATCH 4/5] testsuite: test for IMP error if PAM configured but not enabled Problem: No test in the testsuite ensures that the IMP fails with an expected error if pam-support=true is specified in the config, but flux-security was built without PAM support. Add a test to t2000-imp-exec.t to ensure this error occurs. --- t/t2000-imp-exec.t | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/t/t2000-imp-exec.t b/t/t2000-imp-exec.t index 4c84a5cf..a53b383d 100755 --- a/t/t2000-imp-exec.t +++ b/t/t2000-imp-exec.t @@ -59,7 +59,7 @@ test_expect_success 'create configs for flux-imp exec and signer' ' allowed-shells = [ "id", "echo", "$(pwd)/sleeper.sh" ] allow-unprivileged-exec = true EOF - cat <<-EOF >sign-none-allowed-munge.toml + cat <<-EOF >sign-none-allowed-munge.toml && allow-sudo = true [sign] max-ttl = 30 @@ -70,6 +70,10 @@ test_expect_success 'create configs for flux-imp exec and signer' ' allowed-shells = [ "id", "echo" ] allow-unprivileged-exec = true EOF + cp sign-none.toml pam-test.toml && + cat <<-EOF >>pam-test.toml + pam-support = true + EOF ' test_expect_success 'flux-imp exec fails in unprivileged mode by default' ' ( export FLUX_IMP_CONFIG_PATTERN=no-unpriv-exec.toml && @@ -174,4 +178,14 @@ test_expect_success SUDO,NO_CHAIN_LINT 'flux-imp exec: setuid IMP lingers' ' kill -TERM $pid && wait ' +$flux_imp version | grep -q pam || test_set_prereq NO_PAM +test_expect_success NO_PAM,SUDO 'flux-imp exec: fails if not built with PAM but pam-support=true' ' + ( export FLUX_IMP_CONFIG_PATTERN=pam-test.toml && + fake_imp_input foo | \ + test_must_fail $SUDO FLUX_IMP_CONFIG_PATTERN=pam-test.toml \ + $flux_imp exec echo ok > pam-err.out 2>&1 + ) && + test_debug "cat pam-err.out" && + grep "IMP was built without --enable-pam" pam-err.out +' test_done From d4f48ccb5cafe5a0f0fdeed6c48cbdf675315d15 Mon Sep 17 00:00:00 2001 From: "Mark A. Grondona" Date: Thu, 4 May 2023 08:25:32 -0700 Subject: [PATCH 5/5] ci: pin urllib<2 to address readthedocs build failure Problem: ReadTheDocs CI build currently fails with: ImportError: urllib3 v2.0 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with OpenSSL 1.0.2n 7 Dec 2017 See: https://github.com/urllib3/urllib3/issues/2168 Workaround the issue until the builders update their OpenSSL by pinning urllib<2. --- doc/requirements.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/requirements.txt b/doc/requirements.txt index 548a9849..a78a8086 100644 --- a/doc/requirements.txt +++ b/doc/requirements.txt @@ -2,3 +2,4 @@ sphinx==3.4.3 sphinx-rtd-theme>=0.5.2 docutils>=0.14,<0.18 Jinja2<3.1 +urllib3<2