Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PAM auth doesn't work for systemd-homed users #321

Open
05storm26 opened this issue May 3, 2024 · 1 comment
Open

PAM auth doesn't work for systemd-homed users #321

05storm26 opened this issue May 3, 2024 · 1 comment

Comments

@05storm26
Copy link

05storm26 commented May 3, 2024
edited

In enforce mode if you have a systemd-homed user you lose the ability to use sudo.

The error message by sudo is something like: "user not found in the passwd database". I suspect it is connected to the fact that suddenly: getent passwd username returns no entry.

aa-log:

DENIED  unix-chkpwd open owner /etc/machine-id comm=unix_chkpwd requested_mask=r denied_mask=r
DENIED  firejail-default ptrace comm=ps requested_mask=readby denied_mask=readby peer=ps
DENIED  sudo open owner /etc/machine-id comm=sudo requested_mask=r denied_mask=r
...
DENIED  groups open @{run}/systemd/userdb/ comm=groups requested_mask=r denied_mask=r
DENIED  su open owner /etc/machine-id comm=su requested_mask=r denied_mask=r

Disabling enforce mode or apparmor fixes the issue. Of course in that case getent passwd username now returns the proper entry for that homed user though NSS(?) / PAM.
@roddhjav
Copy link
Owner

roddhjav commented May 3, 2024
edited

Thanks for these log. Can you provide the full logs when you are in complain mode?

roddhjav added a commit that referenced this issue May 5, 2024
@roddhjav
fix(profile): ensure PAM & systemd-homed compatibility.
d544c38 
see #321
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@roddhjav @05storm26