ansible-lockdown/RHEL6-STIG

pam module fails when "service" is a symlink and "backup: yes"

jamescassell opened this issue · 12 comments

This issue is similar to ansible/ansible#6986

By default, on RHEL6, /etc/pam.d/system-auth is a symlink to /etc/pam.d/system-auth-ac. After running this role, system-auth ends up as a file rather than a symlink.

I'll send in a patch for this issue.

You dont need to go to this extreme but you're welcomed to submit a PR that switches out the custom PAM module we have here to use the one that is now part of the upstream. I think we'd still take the patch but if you feel like doing a lil extra, I wont stop you ;)

Breaking the link is a feature. It precludes losing your configs if someone runs authconfig.

The error only manifests itself when "backup: yes" is set. Otherwise, it writes through to the linked file. At the very least it needs an option to follow/not follow a link.

I've patched the custom pam module locally, but I'm exploring the change suggested by @defionscode (using the upstream pamd module)

The upstream pamd module does not support "backup." I've created a patch for this specific issue with the custom pam module, and also a separate patch that switches to the upstream pamd module. I'll send them in after I've tested them a bit more, hopefully today.

Hmm alright, I may look into making a PR for the upstream pamd module to add backup support. I really appreciate your help.

Do you want one pull request with all my various fixes, our should I break them out by issue?

@jamescassell thank you for your contributions. I believe you still have on incoming PR. I'll close this issue once that has been submitted/accepted.

Yes. Hopefully today. Thanks for merging my PRs!

any preference as to whether the custom pam module should be removed as part the PR switching to the upstream pamd module? I've verified that the upstream pamd module behaves identically to the custom one, so far as the RHEL6-STIG projects usage of it, with the exception of not having "backup" support.

I'm fine with removing it, worst case we can always go back into commit history to grab it should we need to.

Turns out this issue wasn't caused by the custom pam module in cat2.yml or cat3.yml, but rather the 'replace' module in cat1.yml. That fix has already been merged. I was thrown off by the fact that the only call to the pam module with "backup:yes" was for system-auth, and assumed those conditions were causing the system-auth symlink to turn into a file. After swapping out the pam module for pamd, I identified the real issue of the replace module changing the symlink to a file. My PR still stands for switching to the official pamd module, though. I should have a few other fixes incoming, as well. Thanks for being responsive to my PRs!