Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pam: Do not prevent root from changing auth token #7761

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

pam: Do not prevent root from changing auth token #7761

wants to merge 1 commit into from

Conversation

arrowd
Copy link
Contributor

@arrowd arrowd commented Dec 12, 2024
edited
Loading

In my workflow I use pam_sss to change passwords of AD domain users. It works fine when user changes his password himself, but it doesn't work I do the same with, for example, pamtester program running as root.

The history of this getuid() == 0 check traces down to 15 years ago and it still doesn't give a clear rationale.

The proposed patch fixes the problem for me.

@sumit-bose
Copy link
Contributor

Hi,

typically there is a different semantic if the password change is called as a user or as root.

If it is called as s user the semantic is that the password will be changed after the user has authenticated themself by giving the current password of the account for which the password should be changed (typically the account of the user itself) and then the new password.

If it is called as root the semantic is a password reset, i.e. no additional authentication is required, being root is sufficient, and the password of any user can be set to a new one.

SSSD's support for the latter is quite limited because for the common use cases, users coming from remote sources like LDAP and actual authentication happens remote as well, e.g. with Kerberos or LDAP, SSSD does not have the privileges on the remote side to change the password. That's why this use case is rejected already in the PAM module.

bye,
Sumit

@arrowd
Copy link
Contributor Author

arrowd commented Dec 17, 2024

I don't quite get it why it has be dependent on a user UID.

The password change happens on the domain controller side, which doesn't really care what local user's credentials are. If changing a password requires an authentication, the controller would ask client to authenticate, be it root or not.

Anyways, if this change can't be accepted as it is, maybe we can make this behavior optional based on argv?

@arrowd
Copy link
Contributor Author

arrowd commented Mar 8, 2025

Is this PR rejected?

@sumit-bose
Copy link
Contributor

Hi,

I'm sorry for the delay.

Is this PR rejected?

It depends on the use-case. If it is only about running pamtester as root I think this change is not needed because it would be possible to switch to a user with su before testing the password change with pamtester.

If there are other use-case as well I would prefer a command-line option (argv) to skip the check.

bye,
Sumit

@arrowd
Copy link
Contributor Author

arrowd commented Mar 10, 2025
edited
Loading

If there are other use-case as well

Yes, my context actually is a privileged daemon that manages users in the system and provides a way to change password for both local and domain accounts. To change the password of a user coming from SSSD I resort to calling pam_sss.so, which is why I need this feature.

I would prefer a command-line option (argv) to skip the check.

Sure, a fine solution. I'll prepare an update to the PR. Thanks for the feedback!

@arrowd arrowd force-pushed the master branch 3 times, most recently from 6e7c6ed to 66490fc Compare March 12, 2025 14:54
@arrowd arrowd requested a review from sumit-bose March 22, 2025 10:26
sumit-bose
sumit-bose approved these changes Apr 1, 2025
View reviewed changes
Copy link
Contributor

@sumit-bose sumit-bose left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi,

thank you for the updates. I'm fine wit the changes, ACK.

Now, at least one additional developer should do review.

bye,
Sumit

@alexey-tikhonov alexey-tikhonov added the no-backport This should go to target branch only. label Apr 1, 2025
@alexey-tikhonov
Copy link
Member

Is it worth a release note? (https://github.com/SSSD/sssd/blob/master/.git-commit-template#L16)

@andreboscatto andreboscatto removed the request for review from ikerexxe April 1, 2025 12:36
pbrezina
pbrezina requested changes Apr 2, 2025
View reviewed changes
Copy link
Member

@pbrezina pbrezina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, the patch is good, please, see minor nitpicking inline. It might be also worth to add a release not as Alexey suggested.

Thank you.

@arrowd arrowd requested a review from pbrezina April 2, 2025 15:19
@arrowd
pam: Add option to allow changing auth token when running as root
578f3dc 
:config: The pam_sss.so module gained a new option named "allow_chauthtok_by_root".
         It allows changing realm password for an arbitrary user via PAM when invoked by root.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sumit-bose sumit-bose sumit-bose approved these changes

@pbrezina pbrezina pbrezina approved these changes

Assignees

@sumit-bose sumit-bose

@pbrezina pbrezina

Labels
Accepted no-backport This should go to target branch only.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@arrowd @sumit-bose @alexey-tikhonov @pbrezina