New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PAM sessions are not being initialized properly #2973
Comments
Hi, I am trying to use PAMAuthenticator with a non-root user JuypterHub controlled by systemd on CentOS 8. Since I am going to spawn singleuser servers with podman, I need PAM to open a session to set the correct context for each user. Right now this does not work, and I get several PAM related errors. This is the /etc/var/secure log
And this is the service file for JupyterHub for systemd:
To make sure that /proc/self/loginuid is unset, I modified the
The /var/log/messages output was
The first line I tried adding all of this additional CAPABILITIES in the service file:
In addition, I think all three directions affect the PAM errors. When I put |
I just reverted all of the changes in this commit: 4de6b39 and it seemed to work for me. If it also works for you it might be worth submitting a pull request with your changes. |
In theory all you need to do is add
and change https://github.com/jupyterhub/jupyterhub/blob/master/jupyterhub/auth.py#L948 and https://github.com/jupyterhub/jupyterhub/blob/master/jupyterhub/auth.py#L960 to
instead of
but I haven't tested this (and currently don't have access to my normal setup) |
Ok, I took on my own way:
But I am still suck with one error. Here from /var/log/secure:
And here from /var/log/messages:
I used |
Hi, I worked it out now: I added a set_preexec_fn routine to spawners. It is called by the authenticator on pre_spawn_start and sets a preexec_fn for the spawner. When the spawner makes a call to the singleuser notebook via subprocess.Popen the new preexec_fn is used. This function changes to root, runs through the PAM stack, and then changes to the correct uid, gids. The PAM handle is unique for the session and gets saved in the spawner, so it can be reused, when closing the PAM session in post_spawn_stop. This is needed, when users can start multiple singleuser notebooks, hence might have multiple open sessions. I forked jupyterhub and wrapspawner for my own usage and it works. I think there is a more elegant way to make the authenticator run a pre_spawn_start hook in the beginning of the new subprocess of the spawner. Maybe someone else has a better idea? |
This is still broken on JupyterHub 1.4.2 when run with the sudospawner. Disabling PAM Sessions via c.PAMAuthenticator.open_sessions=False works fine. |
Something I found related to this is that on Ubuntu 20.04 server install is that you need to add the hub service user to the "utmp" group in addition to the "shadow" group. You still get some errors though. I'm going to keep digging into exactly what each step is doing.
|
The shadow group means you can read all of the local hashed passwords. That's why it needs to run as root or be a member to work. It's related to your PAM configuration. If you use an LDAP backend and not shadow passwords, you can often run unprivileged when using PAM modules -- it all depends on what your PAM modules are doing. That's why gatoniel is running in a preexec function. |
Cross-linking #486 since this has been brought up several times, but our session lifecycle is not correct: Quoting https://bugs.freedesktop.org/show_bug.cgi?id=62866:
So the only way to fix this fully robustly is to have a separate PAM process for each user (indeed for each Spawner instance) where we make PAM calls (including authenticate). It also means requiring password entry for every spawn if we want to avoid persisting passwords in a reusable form (which I think we should avoid), and hijacking LocalProcessSpawner so the authenticate process is indeed the parent of the single-user server. There's further discussion in minrk/pamela#22 which includes a sketch of a path forward. |
I have a configuration where mount points are being set up when a user authenticates with PAM. This worked on jupyterhub 0.8.1. However, this does not appear to work on newer versions of jupyterhub (I upgraded to 0.9.6).
I think the issue can be traced back to this commit where the interaction with PAM was moved to a thread. I think having authentication in a separate thread is probably okay (though I haven't tested this). However, opening a PAM session should probably be done in the spawned process since they are typically setting process/thread attributes. Reverting the changes in jupyterhub/auth.py fixed the issue for me but I think a proper fix is needed (this fix may just be reverting the changes).
I think taking another look at the commit above may also help with issues #2056, #2754, and #2406. Let me know if you need me to do more testing or need any other information.
The text was updated successfully, but these errors were encountered: