MirrorHub/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-15 14:26:33 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
nixpkgs/nixos/doc/manual/release-notes
History
Maximilian Bosch b39569222b
gitea: drop PAM support 
Strongly inspired by the forgejo counterpart[1], for the following
reasons:

* The feature is broken with the current module and crashes on
  authentication with the following stacktrace (with a PAM service
  `gitea` added):

      server # Stack trace of thread 1008:
      server # #0  0x00007f3116917dfb __nptl_setxid (libc.so.6 + 0x8ddfb)
      server # #1  0x00007f3116980ae6 setuid (libc.so.6 + 0xf6ae6)
      server # #2  0x00007f30cc80f420 _unix_run_helper_binary (pam_unix.so + 0x5420)
      server # #3  0x00007f30cc8108c9 _unix_verify_password (pam_unix.so + 0x68c9)
      server # #4  0x00007f30cc80e1b5 pam_sm_authenticate (pam_unix.so + 0x41b5)
      server # #5  0x00007f3116a84e5b _pam_dispatch (libpam.so.0 + 0x3e5b)
      server # #6  0x00007f3116a846a3 pam_authenticate (libpam.so.0 + 0x36a3)
      server # #7  0x00000000029b1e7a n/a (.gitea-wrapped + 0x25b1e7a)
      server # #8  0x000000000047c7e4 n/a (.gitea-wrapped + 0x7c7e4)
      server # ELF object binary architecture: AMD x86-64
      server #
      server # [   42.420827] gitea[897]: pam_unix(gitea:auth): unix_chkpwd abnormal exit: 159
      server # [   42.423142] gitea[897]: pam_unix(gitea:auth): authentication failure; logname= uid=998 euid=998 tty= ruser= rhost=  user=snenskek

  It only worked after turning off multiple sandbox settings and adding
  `shadow` as supplementary group to `gitea.service`.

  I'm not willing to maintain additional multiple sandbox settings for
  different features, especially given that it was probably not used for
  quite a long time:

  * There was no PR or bugreport about sandboxing issues related to
    PAM.

  * Ever since the module exists, it used the user `gitea`, i.e. it had
    never read-access to `/etc/shadow`.

* Upstream has it disabled by default[2].

If somebody really needs it, it can still be brought back by an overlay
updating `tags` accordingly and modifying the systemd service config.

[1] 07641a91c9
[2] https://docs.gitea.com/usage/authentication#pam-pluggable-authentication-module
2024-08-24 13:40:58 +02:00
..
release-notes.md
rl-1310.section.md
rl-1404.section.md
rl-1412.section.md
rl-1509.section.md
rl-1603.section.md
rl-1609.section.md
rl-1703.section.md
rl-1709.section.md
rl-1803.section.md
rl-1809.section.md
rl-1903.section.md
rl-1909.section.md
rl-2003.section.md
rl-2009.section.md
rl-2105.section.md
rl-2111.section.md
rl-2205.section.md treewide: fix doc typos 2024-07-26 00:55:13 +02:00
rl-2211.section.md
rl-2305.section.md
rl-2311.section.md hickory-dns: rename from trust-dns 2024-08-11 07:59:32 +00:00
rl-2405.section.md treewide: fix doc typos 2024-07-26 00:55:13 +02:00
rl-2411.section.md gitea: drop PAM support 2024-08-24 13:40:58 +02:00