Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build: enable PAM in make deb #166

Merged
merged 5 commits into from
May 10, 2023
Merged

build: enable PAM in make deb #166

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
9117a0c
README.md: add PAM development package requirements
grondo May 3, 2023
ee78d8f
imp: exec: issue error if pam-support used without --enable-pam
grondo May 3, 2023
c694cfd
debian: build with --enable-pam
grondo May 3, 2023
8f16f2a
testsuite: test for IMP error if PAM configured but not enabled
grondo May 4, 2023
d4f48cc
ci: pin urllib<2 to address readthedocs build failure
grondo May 4, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 13 additions & 11 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,17 +5,19 @@ Independent project for Flux security code and APIs.

flux-security requires the following packages to build:

**redhat** | **ubuntu** | **version**
---------- | ---------- | -----------
autoconf | autoconf |
automake | automake |
libtool | libtool |
make | make |
pkgconfig | pkg-config |
libsodium-devel | libsodium-dev | >= 1.0.14
jansson-devel | libjansson-dev |
libuuid-devel | uuid-dev |
munge-devel | libmunge-dev |
**redhat** | **ubuntu** | **version** | **notes**
---------- | ---------- | ----------- | ---------
autoconf | autoconf | |
automake | automake | |
libtool | libtool | |
make | make | |
pkgconfig | pkg-config | |
libsodium-devel | libsodium-dev | >= 1.0.14 |
jansson-devel | libjansson-dev | |
libuuid-devel | uuid-dev | |
munge-devel | libmunge-dev | |
pam-devel | libpam0g-dev | | for --enable-pam


##### Installing RedHat/CentOS Packages
```
Expand Down
3 changes: 2 additions & 1 deletion debian/control
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,8 @@ Build-Depends:
libsodium-dev,
libjansson-dev,
uuid-dev,
libmunge-dev
libmunge-dev,
libpam0g-dev

Homepage: https://github.com/flux-framework/flux-security
Package: flux-security
Expand Down
4 changes: 4 additions & 0 deletions debian/rules
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,10 @@
override_dh_autoreconf:
@echo not running autogen.sh on dist product

override_dh_auto_configure:
dh_auto_configure -- \
--enable-pam

override_dh_auto_install:
dh_auto_install
find . -name '*.la' -delete
Expand Down
1 change: 1 addition & 0 deletions doc/requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,4 @@ sphinx==3.4.3
sphinx-rtd-theme>=0.5.2
docutils>=0.14,<0.18
Jinja2<3.1
urllib3<2
10 changes: 6 additions & 4 deletions src/imp/exec/exec.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,13 +99,11 @@ static bool imp_exec_unprivileged_allowed (struct imp_exec *exec)
}


#if HAVE_PAM
/* Check for PAM support, but default to not using PAM for now.
*/
static bool imp_supports_pam (struct imp_exec *exec) {
return cf_bool (cf_get_in (exec->conf, "pam-support"));
}
#endif

static void imp_exec_destroy (struct imp_exec *exec)
{
Expand Down Expand Up @@ -301,14 +299,18 @@ int imp_exec_privileged (struct imp_state *imp, struct kv *kv)
if (privsep_wait (imp->ps) < 0)
exit (1);

#if HAVE_PAM
/* Call privileged IMP plugins/containment */
if (imp_supports_pam (exec)) {
#if HAVE_PAM
struct passwd *user_pwd = passwd_from_uid (exec->userid);
if (pam_setup (user_pwd->pw_name) < 0)
imp_die (1, "exec: PAM stack failure");
}
#else
imp_die (1,
"exec: pam-support=true, but IMP was built without "
"--enable-pam");
#endif /* HAVE_PAM */
}

/* Block signals so parent IMP isn't unduly terminated */
sigblock_all ();
Expand Down
16 changes: 15 additions & 1 deletion t/t2000-imp-exec.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ test_expect_success 'create configs for flux-imp exec and signer' '
allowed-shells = [ "id", "echo", "$(pwd)/sleeper.sh" ]
allow-unprivileged-exec = true
EOF
cat <<-EOF >sign-none-allowed-munge.toml
cat <<-EOF >sign-none-allowed-munge.toml &&
allow-sudo = true
[sign]
max-ttl = 30
Expand All @@ -70,6 +70,10 @@ test_expect_success 'create configs for flux-imp exec and signer' '
allowed-shells = [ "id", "echo" ]
allow-unprivileged-exec = true
EOF
cp sign-none.toml pam-test.toml &&
cat <<-EOF >>pam-test.toml
pam-support = true
EOF
'
test_expect_success 'flux-imp exec fails in unprivileged mode by default' '
( export FLUX_IMP_CONFIG_PATTERN=no-unpriv-exec.toml &&
Expand Down Expand Up @@ -174,4 +178,14 @@ test_expect_success SUDO,NO_CHAIN_LINT 'flux-imp exec: setuid IMP lingers' '
kill -TERM $pid &&
wait
'
$flux_imp version | grep -q pam || test_set_prereq NO_PAM
test_expect_success NO_PAM,SUDO 'flux-imp exec: fails if not built with PAM but pam-support=true' '
( export FLUX_IMP_CONFIG_PATTERN=pam-test.toml &&
fake_imp_input foo | \
test_must_fail $SUDO FLUX_IMP_CONFIG_PATTERN=pam-test.toml \
$flux_imp exec echo ok > pam-err.out 2>&1
) &&
test_debug "cat pam-err.out" &&
grep "IMP was built without --enable-pam" pam-err.out
'
test_done