Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiline in /etc/pam.d/su breaks Augeas #590

Closed
fatbasstard opened this issue Nov 8, 2018 · 1 comment
Closed

Multiline in /etc/pam.d/su breaks Augeas #590

fatbasstard opened this issue Nov 8, 2018 · 1 comment

Comments

@fatbasstard
Copy link

See the related issue in the CentOS repo: CentOS/sig-cloud-instance-build#139

When spinning up a Vagrant CentOS7 box (centos/7) the machine ends up with the following /etc/pam.d/su file:

#%PAM-1.0
auth		sufficient	pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth		sufficient	pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth		required	pam_wheel.so use_uid
auth		substack	system-auth
auth		include		postlogin
account		sufficient	pam_succeed_if.so uid = 0 use_uid quiet
account		[success=1 default=ignore] \
				pam_succeed_if.so user = vagrant use_uid quiet
account		required	pam_succeed_if.so user notin root:vagrant
account		include		system-auth
password	include		system-auth
session		include		system-auth
session		include		postlogin
session		optional	pam_xauth.so

If the content of this file is being manipulated using Augeas, this breaks due to the multiline:

augtool> print /augeas/files/etc/pam.d/su/
/augeas/files/etc/pam.d/su
/augeas/files/etc/pam.d/su/path = "/files/etc/pam.d/su"
/augeas/files/etc/pam.d/su/mtime = "1541598575"
/augeas/files/etc/pam.d/su/lens = "@Pam"
/augeas/files/etc/pam.d/su/lens/info = "/usr/share/augeas/lenses/dist/pam.aug:60.12-.56:"
/augeas/files/etc/pam.d/su/error = "parse_failed"
/augeas/files/etc/pam.d/su/error/pos = "469"
/augeas/files/etc/pam.d/su/error/line = "12"
/augeas/files/etc/pam.d/su/error/char = "5"
/augeas/files/etc/pam.d/su/error/lens = "/usr/share/augeas/lenses/dist/pam.aug:60.12-.56:"
/augeas/files/etc/pam.d/su/error/lens/last_matched = "/usr/share/augeas/lenses/dist/util.aug:134.6-.14:"
/augeas/files/etc/pam.d/su/error/lens/next_not_matched = "/usr/share/augeas/lenses/dist/util.aug:22.27-.34:"
/augeas/files/etc/pam.d/su/error/message = "Iterated lens matched less than it should"

The default lens for PAM does not support this.

In our case we use Augeas within Puppet to handle configuration management.

According to the CentOS people, this is considered a bug in Augeas. Can this be fixed?
@lutter
Copy link
Member

lutter commented Nov 8, 2018

Yes, I agree it's a bug in Augeas. I'll try and fix up the lens.

lutter added a commit to lutter/augeas that referenced this issue Nov 8, 2018
@lutter
Pam: accept continuation lines
5c3d9a4 
Make it possible to use '\<LF>' as a whitespace character between tokens

Fixes hercules-team#590
@lutter lutter mentioned this issue Nov 8, 2018
Merged
lutter added a commit to lutter/augeas that referenced this issue Nov 29, 2018
@lutter
Pam: accept continuation lines
fd72b5a 
Make it possible to use '\<LF>' as a whitespace character between tokens

Fixes hercules-team#590
lutter added a commit that referenced this issue Nov 29, 2018
@lutter
Pam: accept continuation lines (#592)
9af70d1 
Make it possible to use '\<LF>' as a whitespace character between tokens

Fixes #590
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lutter @fatbasstard