Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add pam account authorization check (#19040) #19047

Merged
merged 2 commits into from
Mar 10, 2022
Merged

Add pam account authorization check (#19040) #19047

merged 2 commits into from
Mar 10, 2022

Conversation

6543
Copy link
Member

@6543 6543 commented Mar 10, 2022
edited by zeripath
Loading

Backport #19040

The PAM module has previously only checked the results of the authentication module.

However, in normal PAM practice most users will expect account module authorization to also be checked. Without doing this check in almost every configuration expired accounts and accounts with expired passwords will still be able to login.

This is likely to represent a significant gotcha in most configurations and cause most users configurations to be potentially insecure. Therefore we should add in the account authorization check.

⚠️ BREAKING ⚠️

Users of the PAM module who rely on account modules not being checked will need to change their PAM configuration.

However, as it is likely that the vast majority of users of PAM will be expecting account authorization to be checked in addition to authentication we should make this breaking change to make the default behaviour correct for the majority.

I suggest we backport this despite the BREAKING nature because of the surprising nature of this.

Thanks to @ysf for bringing this to our attention.
Co-authored-by: ysf [email protected]

@6543 6543 added topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! pr/breaking Merging this PR means builds will break. Needs a description what exactly breaks, and how to fix it! labels Mar 10, 2022
@6543 6543 added this to the 1.16.4 milestone Mar 10, 2022
@6543 6543 added type/bug type/enhancement An improvement of existing functionality labels Mar 10, 2022
@6543 6543 mentioned this pull request Mar 10, 2022
Merged
@GiteaBot GiteaBot added the lgtm/need 1 This PR needs approval from one additional maintainer to be merged. label Mar 10, 2022
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Mar 10, 2022
@zeripath
Copy link
Contributor

make lgtm work

@zeripath zeripath merged commit 3e5c844 into go-gitea:release/v1.16 Mar 10, 2022
@zeripath zeripath deleted the backport_19040 branch March 10, 2022 08:15
@go-gitea go-gitea locked and limited conversation to collaborators Apr 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@wxiaoguang wxiaoguang wxiaoguang approved these changes

@lunny lunny lunny approved these changes

Assignees
No one assigned
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. pr/breaking Merging this PR means builds will break. Needs a description what exactly breaks, and how to fix it! topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/bug type/enhancement An improvement of existing functionality
Projects
None yet
Milestone
1.16.4
Development

Successfully merging this pull request may close these issues.
5 participants
@6543 @zeripath @lunny @wxiaoguang @GiteaBot