dev/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions1 Packages Projects Releases Wiki Activity
b7c9821df6
nixpkgs/pkgs/by-name/gi
History
Maximilian Bosch b39569222b
gitea: drop PAM support 
Strongly inspired by the forgejo counterpart[1], for the following
reasons:

* The feature is broken with the current module and crashes on
  authentication with the following stacktrace (with a PAM service
  `gitea` added):

      server # Stack trace of thread 1008:
      server #   0x00007f3116917dfb __nptl_setxid (libc.so.6 + 0x8ddfb)
      server #   0x00007f3116980ae6 setuid (libc.so.6 + 0xf6ae6)
      server #   0x00007f30cc80f420 _unix_run_helper_binary (pam_unix.so + 0x5420)
      server #   0x00007f30cc8108c9 _unix_verify_password (pam_unix.so + 0x68c9)
      server #   0x00007f30cc80e1b5 pam_sm_authenticate (pam_unix.so + 0x41b5)
      server #   0x00007f3116a84e5b _pam_dispatch (libpam.so.0 + 0x3e5b)
      server #   0x00007f3116a846a3 pam_authenticate (libpam.so.0 + 0x36a3)
      server #   0x00000000029b1e7a n/a (.gitea-wrapped + 0x25b1e7a)
      server #   0x000000000047c7e4 n/a (.gitea-wrapped + 0x7c7e4)
      server # ELF object binary architecture: AMD x86-64
      server #
      server # [   42.420827] gitea[897]: pam_unix(gitea:auth): unix_chkpwd abnormal exit: 159
      server # [   42.423142] gitea[897]: pam_unix(gitea:auth): authentication failure; logname= uid=998 euid=998 tty= ruser= rhost=  user=snenskek

  It only worked after turning off multiple sandbox settings and adding
  `shadow` as supplementary group to `gitea.service`.

  I'm not willing to maintain additional multiple sandbox settings for
  different features, especially given that it was probably not used for
  quite a long time:

  * There was no PR or bugreport about sandboxing issues related to
    PAM.

  * Ever since the module exists, it used the user `gitea`, i.e. it had
    never read-access to `/etc/shadow`.

* Upstream has it disabled by default[2].

If somebody really needs it, it can still be brought back by an overlay
updating `tags` accordingly and modifying the systemd service config.

[1] 07641a91c9
[2] https://docs.gitea.com/usage/authentication#pam-pluggable-authentication-module
2024-08-24 13:40:58 +02:00
..
gickup gickup: 0.10.30 -> 0.10.31 2024-08-05 13:39:24 +00:00
gifgen
gifsicle treewide: change ${pname} to string literal, pt2 () 2024-08-20 17:23:37 -07:00
girouette
gist
git-agecrypt
git-autoshare git-autoshare: init at 1.0.0b6 2024-08-05 07:50:58 +01:00
git-backup-go
git-codeowners
git-fixup
git-gamble git-gamble: init at 2.9.0 2024-08-12 20:51:17 +02:00
git-get
git-gr git-gr: 1.4.1 -> 1.4.2 2024-08-07 11:23:40 -07:00
git-igitt git-igitt: package is built from source 2024-08-11 16:11:37 +02:00
git-instafix
git-my
git-pw
git-releaser
git-run
git-spice git-spice: 0.3.1 -> 0.4.0 2024-08-09 21:21:34 -04:00
git-standup
git-together
git-toolbelt
git-upstream
gitbutler
gitcs gitcs: init at 1.2.0 2024-08-07 20:35:08 +05:30
gitea gitea: drop PAM support 2024-08-24 13:40:58 +02:00
gitg treewide: change ${pname} to string literal () 2024-08-20 15:56:55 -07:00
githooks
github-desktop
github-runner github-runner: 2.319.0 -> 2.319.1 2024-08-18 03:16:38 +00:00
gitlab-ci-local
gitlab-release-cli
gitlab-runner
gitmoji-cli
gitprompt-rs
gittuf
gitu gitu: 0.23.1 -> 0.24.0 2024-08-09 21:32:23 +00:00
gitui
gitversion