gitea: drop PAM support

[Ma27]

Description of changes

Strongly inspired by the forgejo counterpart[1], for the following reasons:

• The feature is broken with the current module and crashes on authentication with the following stacktrace (with a PAM service gitea added):

  server # Stack trace of thread 1008:
  server # #0  0x00007f3116917dfb __nptl_setxid (libc.so.6 + 0x8ddfb)
  server # #1  0x00007f3116980ae6 setuid (libc.so.6 + 0xf6ae6)
  server # #2  0x00007f30cc80f420 _unix_run_helper_binary (pam_unix.so + 0x5420)
  server # #3  0x00007f30cc8108c9 _unix_verify_password (pam_unix.so + 0x68c9)
  server # #4  0x00007f30cc80e1b5 pam_sm_authenticate (pam_unix.so + 0x41b5)
  server # #5  0x00007f3116a84e5b _pam_dispatch (libpam.so.0 + 0x3e5b)
  server # #6  0x00007f3116a846a3 pam_authenticate (libpam.so.0 + 0x36a3)
  server # #7  0x00000000029b1e7a n/a (.gitea-wrapped + 0x25b1e7a)
  server # #8  0x000000000047c7e4 n/a (.gitea-wrapped + 0x7c7e4)
  server # ELF object binary architecture: AMD x86-64
  server #
  server # [   42.420827] gitea[897]: pam_unix(gitea:auth): unix_chkpwd abnormal exit: 159
  server # [   42.423142] gitea[897]: pam_unix(gitea:auth): authentication failure; logname= uid=998 euid=998 tty= ruser= rhost=  user=snenskek
  

  It only worked after turning off multiple sandbox settings and adding shadow as supplementary group to gitea.service.

  I'm not willing to maintain additional multiple sandbox settings for different features, especially given that it was probably not used for quite a long time:

  • There was no PR or bugreport about sandboxing issues related to PAM.

  • Ever since the module exists, it used the user gitea, i.e. it had never read-access to /etc/shadow.

• Upstream has it disabled by default[2].

If somebody really needs it, it can still be brought back by an overlay updating tags accordingly and modifying the systemd service config.

[1] 07641a9
[2] https://docs.gitea.com/usage/authentication#pam-pluggable-authentication-module

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[GetPsyched]

Broken link syntax

Suggested change

	- `gitea` no longer supports the opt-in feature [PAM (Pluggable Authentication Module)][https://docs.gitea.com/usage/authentication#pam-pluggable-authentication-module].
	- `gitea` no longer supports the opt-in feature [PAM (Pluggable Authentication Module)](https://docs.gitea.com/usage/authentication#pam-pluggable-authentication-module).