-
-
Notifications
You must be signed in to change notification settings - Fork 14.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pam: Verify /etc/pam.d/* file contents #146467
Conversation
266ae4f
to
b992e8e
Compare
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/how-to-read-a-file-in-a-nixpkgs-test/16130/1 |
Theres a existing test that uses grep to check the file contents https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/pam-u2f.nix might be useful https://github.com/pbrezina/pam-test |
b992e8e
to
3e4fe13
Compare
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/how-to-best-verify-etc-pam-d-file-contents/16217/1 |
"session required pam_env.so conffile=/etc/pam/environment readenv=0", | ||
"session required pam_unix.so", | ||
} | ||
actual_lines = set(machine.succeed("cat /etc/pam.d/chfn").splitlines()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you want to you could add more modules and also test more configuration files to get a good coverage
such as pam.d/login, pam.d/sudo, etc and some modules from https://search.nixos.org/options?channel=21.05&from=0&size=50&sort=relevance&type=packages&query=security.pam
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's the plan, as soon as I get enough feedback on this that I'm fairly certain the result can be merged without major rework.
3e4fe13
to
595543a
Compare
Would it be possible to merge this as-is? Then I can create a separate PR with more tests. |
Please move the other pam tests in to the pam subdirectory then i will merge this because we can always rework it since its a test and not user facing |
created a tracking issue for pam #147565 |
5909ff5
to
dcb941f
Compare
i fixed it for you waiting for ofborg and then merging |
Isn't a full-featured VM test a little heavy to test a bunch of generated files? |
I just copied the pattern from other tests. If you know of a more light-weight way to do it (with the same kind of guarantees about testing the actually resulting files rather than an intermediate result) I'd be interested. |
Well, other tests check for functionality in a VM, we only check build products after we have booted into a VM. You could either
EDIT:L I'm open to other, better ideas though :) |
Motivation for this change
PAM file contents are critical for system security, and verifying their contents with a reasonable configuration can go a long way towards avoiding syntax or semantic errors.
Based on the work mostly by @Artturin in #145574, and inspired by @Xe's The Surreal Horror of PAM.
Current approach
(Thanks for the tips, @Artturin and @thiagokokada!):
set
.This approach makes TDD easy (change the expected lines, see the test fail, then change the production code), and should make any breakage really easy to spot.
Questions
nixos/modules/security/pam.nix
instead of one per/etc/pam.d/*
file? This would make it harder to verify that there are no unexpected functional lines in the files. A hybrid approach which verifies the default contents and checks how the output differs based on various settings could work, but could also end up being fairly complex.@mkg20001 @ju1m You've both done some non-trivial changes to pam.nix relatively recently. What do you think of the above/the work so far?
Things done
sandbox = true
set innix.conf
? (See Nix manual) N/Anix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage N/A./result/bin/
) N/A