search

CentOS / sig-cloud-instance-build

CentOS Cloud Instance SIG: Metadata to build & release instances
362 stars 168 forks source link

Vagrant: Multiline in /etc/pam.d/su breaks Augeas #139

Closed fatbasstard closed 4 years ago

fatbasstard commented 5 years ago

When spinning up a Vagrant CentOS7 box (centos/7) the machine ends up with the following /etc/pam.d/su file:

#%PAM-1.0
auth        sufficient  pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth       sufficient  pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth       required    pam_wheel.so use_uid
auth        substack    system-auth
auth        include     postlogin
account     sufficient  pam_succeed_if.so uid = 0 use_uid quiet
account     [success=1 default=ignore] \
                pam_succeed_if.so user = vagrant use_uid quiet
account     required    pam_succeed_if.so user notin root:vagrant
account     include     system-auth
password    include     system-auth
session     include     system-auth
session     include     postlogin
session     optional    pam_xauth.so

If the content of this file is being manipulated using Augeas, this breaks due to the multiline:

augtool> print /augeas/files/etc/pam.d/su/
/augeas/files/etc/pam.d/su
/augeas/files/etc/pam.d/su/path = "/files/etc/pam.d/su"
/augeas/files/etc/pam.d/su/mtime = "1541598575"
/augeas/files/etc/pam.d/su/lens = "@Pam"
/augeas/files/etc/pam.d/su/lens/info = "/usr/share/augeas/lenses/dist/pam.aug:60.12-.56:"
/augeas/files/etc/pam.d/su/error = "parse_failed"
/augeas/files/etc/pam.d/su/error/pos = "469"
/augeas/files/etc/pam.d/su/error/line = "12"
/augeas/files/etc/pam.d/su/error/char = "5"
/augeas/files/etc/pam.d/su/error/lens = "/usr/share/augeas/lenses/dist/pam.aug:60.12-.56:"
/augeas/files/etc/pam.d/su/error/lens/last_matched = "/usr/share/augeas/lenses/dist/util.aug:134.6-.14:"
/augeas/files/etc/pam.d/su/error/lens/next_not_matched = "/usr/share/augeas/lenses/dist/util.aug:22.27-.34:"
/augeas/files/etc/pam.d/su/error/message = "Iterated lens matched less than it should"

The default lens for PAM does not support this.

In our case we use Augeas within Puppet to handle configuration management.

If there is no real reason to put the multiline there, can this be put on a single line?

lpancescu commented 5 years ago

Using multilines for PAM directives is perfectly valid syntax, please see the third paragraph in man pam.d. It's a bug in Augeas if it can't handle that - we're hardly the only ones to use multilines (in this case, for readability reasons). From a quick look at their PAM lens, they seem to handle multilines just inside a parameter list. Please file a bug on the Augeas tracker.

fatbasstard commented 5 years ago

So simply putting this configuration on one line is not considered a workable and/or valuable approach? I must say that I personally do not consider this more readable.

Created an issue in Augeas as well

lutter commented 5 years ago

I agree it's an Augeas issue. I'll fix it there.

fatbasstard commented 5 years ago

As long as it gets fixed: ❤️ Thanx!

lpancescu commented 5 years ago

@fatbasstard is the multiline in /etc/pam.d/su still an issue with Augeas?

fatbasstard commented 4 years ago

@lpancescu tbh: I don't know. I left the company and don't have a setup at hand to validate the current status.

But quickly looking at the release notes it looks like it is either fixed, or will be really soon. I'll make the assumption here and close the Issue

Thanks!