mirrors/nixpkgs
1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-01-22 14:45:27 +00:00
Code Issues Wiki Activity
nixpkgs/pkgs/by-name/gi
History
Maximilian Bosch b39569222b
gitea: drop PAM support 
Strongly inspired by the forgejo counterpart[1], for the following
reasons:

* The feature is broken with the current module and crashes on
  authentication with the following stacktrace (with a PAM service
  `gitea` added):

      server # Stack trace of thread 1008:
      server # #0  0x00007f3116917dfb __nptl_setxid (libc.so.6 + 0x8ddfb)
      server # #1  0x00007f3116980ae6 setuid (libc.so.6 + 0xf6ae6)
      server # #2  0x00007f30cc80f420 _unix_run_helper_binary (pam_unix.so + 0x5420)
      server # #3  0x00007f30cc8108c9 _unix_verify_password (pam_unix.so + 0x68c9)
      server # #4  0x00007f30cc80e1b5 pam_sm_authenticate (pam_unix.so + 0x41b5)
      server # #5  0x00007f3116a84e5b _pam_dispatch (libpam.so.0 + 0x3e5b)
      server # #6  0x00007f3116a846a3 pam_authenticate (libpam.so.0 + 0x36a3)
      server # #7  0x00000000029b1e7a n/a (.gitea-wrapped + 0x25b1e7a)
      server # #8  0x000000000047c7e4 n/a (.gitea-wrapped + 0x7c7e4)
      server # ELF object binary architecture: AMD x86-64
      server #
      server # [   42.420827] gitea[897]: pam_unix(gitea:auth): unix_chkpwd abnormal exit: 159
      server # [   42.423142] gitea[897]: pam_unix(gitea:auth): authentication failure; logname= uid=998 euid=998 tty= ruser= rhost=  user=snenskek

  It only worked after turning off multiple sandbox settings and adding
  `shadow` as supplementary group to `gitea.service`.

  I'm not willing to maintain additional multiple sandbox settings for
  different features, especially given that it was probably not used for
  quite a long time:

  * There was no PR or bugreport about sandboxing issues related to
    PAM.

  * Ever since the module exists, it used the user `gitea`, i.e. it had
    never read-access to `/etc/shadow`.

* Upstream has it disabled by default[2].

If somebody really needs it, it can still be brought back by an overlay
updating `tags` accordingly and modifying the systemd service config.

[1] 07641a91c9
[2] https://docs.gitea.com/usage/authentication#pam-pluggable-authentication-module
2024-08-24 13:40:58 +02:00
..
gickup
gifgen
gifsicle treewide: change ${pname} to string literal, pt2 (#336195) 2024-08-20 17:23:37 -07:00
girouette
gist
git-agecrypt
git-autoshare
git-backup-go
git-codeowners
git-fixup
git-gamble
git-get
git-gr
git-igitt
git-instafix
git-my
git-pw
git-releaser
git-run
git-spice
git-standup
git-together
git-toolbelt
git-upstream
gitbutler
gitcs
gitea gitea: drop PAM support 2024-08-24 13:40:58 +02:00
gitg treewide: change ${pname} to string literal (#336172) 2024-08-20 15:56:55 -07:00
githooks
github-desktop
github-runner
gitlab-ci-local
gitlab-release-cli
gitlab-runner
gitmoji-cli
gitprompt-rs
gittuf
gitu
gitui
gitversion