From 68cb5d6510747a44260ee64813883010bc95b9c9 Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Mon, 15 Jan 2024 10:47:04 +0100 Subject: [PATCH] Backport and fix remediation for smartcard_pam_enabled The line `auth [success=2 default=ignore] pam_pkcs11.so` is incorrectly inserted at the top of the pam file. This breaks the functionality if other rules insert modules between this line and pam_unix.so (looking at you faillock preauth). One option would be to add another position argument to the function, e.g. "above_pam_unix", and place the line accordingly. However, this would require modifying the analogous macro upstream, which is not ideal. To make things worse, the upstream macro does not have the position functionality implemented. To avoid messing with the function, a better option is to switch to using another macro which was recently backported from upstream, which supports appending lines after a specific match. --- .../smartcard_pam_enabled/tests/commented.fail.sh | 2 +- .../smartcard_pam_enabled/tests/correct.pass.sh | 2 +- .../smartcard_pam_enabled/tests/nothing.fail.sh | 2 +- .../smartcard_pam_enabled/tests/substring.fail.sh | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/commented.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/commented.fail.sh index b7b587f5d15a..3750cac24ac7 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/commented.fail.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/commented.fail.sh @@ -2,7 +2,7 @@ # platform = multi_platform_ubuntu,multi_platform_sle # packages = libpam-pkcs11 {{% if 'ubuntu' in product %}} -echo '# auth [success=2 default=ignore] pam_pkcs11.so' > /etc/pam.d/common-auth +sed -i '/^auth.*pam_unix.so/i # auth [success=2 default=ignore] pam_pkcs11.so' /etc/pam.d/common-auth {{% else %}} echo '# auth sufficient pam_pkcs11.so' > /etc/pam.d/common-auth {{% endif %}} diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/correct.pass.sh index a46f54fb9e20..37f5fff8ecae 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/correct.pass.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/correct.pass.sh @@ -3,7 +3,7 @@ # packages = libpam-pkcs11 {{% if 'ubuntu' in product %}} -echo 'auth [success=2 default=ignore] pam_pkcs11.so' > /etc/pam.d/common-auth +sed -i '/^auth.*pam_unix.so/i auth [success=2 default=ignore] pam_pkcs11.so' /etc/pam.d/common-auth {{% else %}} echo 'auth sufficient pam_pkcs11.so' > /etc/pam.d/common-auth {{% endif %}} diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/nothing.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/nothing.fail.sh index 973daaf8aeb3..d57f93ef0141 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/nothing.fail.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/nothing.fail.sh @@ -2,4 +2,4 @@ # platform = multi_platform_ubuntu,multi_platform_sle # packages = libpam-pkcs11 -echo > /etc/pam.d/common-auth +echo "auth [success=1 default=ignore] pam_unix.so nullok" > /etc/pam.d/common-auth diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/substring.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/substring.fail.sh index a1dad1bf3bed..4773c829ed60 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/substring.fail.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/substring.fail.sh @@ -3,7 +3,7 @@ # packages = libpam-pkcs11 {{% if 'ubuntu' in product %}} -echo 'aauth [success=2 default=ignore] pam_pkcs11.so' > /etc/pam.d/common-auth +sed -i '/^auth.*pam_unix.so/i aauth [success=2 default=ignore] pam_pkcs11.so' /etc/pam.d/common-auth {{% else %}} echo 'aauth sufficient pam_pkcs11.so' > /etc/pam.d/common-auth {{% endif %}}