Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/phosh: Fix PAM configuration #123448

Merged
merged 1 commit into from May 18, 2021
Merged

nixos/phosh: Fix PAM configuration #123448

merged 1 commit into from May 18, 2021

Conversation

mweinelt
Copy link
Member

@mweinelt mweinelt commented May 18, 2021
edited by dotlambda

Motivation for this change

The removed pam config would not check anything meaningful allowing
PIN unlock without a valid PIN, if you weren't running as root.

Resolves: #123435

ccing @masipcat, whom I could not add to reviewers.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@samueldr
Copy link
Member

samueldr commented May 18, 2021
edited

Verified with:

{
  security.pam.services.phosh = lib.mkForce {};
}

In my system configuration.

Fails to unlock with a bogus PIN. And, importantly, unlocks on right PIN.

@mweinelt mweinelt marked this pull request as ready for review May 18, 2021 04:01
@mweinelt mweinelt requested review from jtojnar and archseer May 18, 2021 04:04
@mweinelt mweinelt linked an issue May 18, 2021 that may be closed by this pull request
phosh: PIN unlock issue #123435
Closed
@zhaofengli
Copy link
Member

Verified working as well for me. Thanks for the fix!

dotlambda
dotlambda requested changes May 18, 2021
View reviewed changes
Copy link
Member

@dotlambda dotlambda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The commit message mentions the wrong issue.

@mweinelt
nixos/phosh: Fix unrestricted login because of insecure PAM config
ec9cfba 
The PAM config deployed would not check anything meaningful. Remove it
and rely on the defaults in the security.pam module to fix login with
arbitrary credentials.

Resolves: NixOS#123435
@mweinelt
Copy link
Member Author

The commit message mentions the wrong issue.

Fixed.

@mkg20001 mkg20001 merged commit 362ca08 into NixOS:master May 18, 2021
@mweinelt mweinelt deleted the phosh-pam branch May 18, 2021 15:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dotlambda dotlambda dotlambda requested changes

@samueldr samueldr samueldr approved these changes

@zhaofengli zhaofengli zhaofengli approved these changes

@jtojnar jtojnar Awaiting requested review from jtojnar

@archseer archseer Awaiting requested review from archseer

Assignees
No one assigned
Labels
1.severity: security 6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 1-10 10.rebuild-linux: 1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

phosh: PIN unlock issue
5 participants
@mweinelt @samueldr @zhaofengli @dotlambda @mkg20001