Skip to content

Include .rpmsave files in password check #23

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Include .rpmsave files in password check #23

wants to merge 1 commit into from

Conversation

@qtc-de
Copy link

@qtc-de qtc-de commented Feb 17, 2025

Hi there 👋

recently I noticed that yk-auth was no longer working properly on my installation. Login was possible with any password and a touch on the yubikey. After investigating this issue, I noticed that my configured login password in /etc/qubes/yk-key/yk-login-pass-hashed.hex was renamed to yk-login-pass-hashed.hex.rpmsave. Since this file does not get recognized by yk-auth, login without password (but key) was possible.

It seems the RPM instruction %config(noreplace) has an edge case here in case of files being renamed / removed. I could not find any reference to this behavior, but it seems that in such cases, the old configuration file gets moved with an .rpmsave suffix. At least, this is the only explanation that I can think of in my case.

Since my case proofs that something like this can happen, and the impact of loosing the strength of 2 factor authentication, I think it is worth to include the .rpmsave file into the password check. This is what this MR tries to achieve.

@qtc-de
Include .rpmsave files in password check
9ac748b 
Add additional check for .rpmsave files containing passwords. This is
important, as rpm seems to move even %config(noreplace) files in case of
them being deleted or renamed in the updated package.
@marmarek
Copy link
Member

marmarek commented Feb 17, 2025

This is indeed quite unfortunate edge case... Generally .rpmsave files shouldn't be used - they should be safe to remove. Your proposed solution makes it risky to remove them...
A better option would be a %post script in the spec file that migrates yk-login-pass(-hashed).rpmsave to the respective new file (if it doesn't have password set already).

@qtc-de
Copy link
Author

qtc-de commented Feb 17, 2025

Works for me. I'm not familiar with RPM specs. So feel free to apply the changes yourself and close this PR :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@qtc-de @marmarek