Closed
Conversation
Contributor
adombeck
commented
Apr 23, 2026
adombeck
commented
`UpdateUser` unconditionally reset the user record's primary GID to the user's UID on every login, silently reverting GID changes made via `authctl group set-gid`. The group record itself kept the correct GID, causing `getent passwd` and `getent group` to diverge.
We've seen cases in e2e-tests where device auth took longer than 2 minutes to complete. When it finally succeeds, the login fails because the subsequent SetData(authenticationBrokerIDKey, ...) call fails: failed to call com.ubuntu.authd.pam.SetData: dbus: connection closed by user LOGIN: exiting with error System error: dbus: connection closed by user We don't to enforce a timeout for the login procedure here. If there should be a timeout, it should be the caller who enforces it - similar to the behavior of `login`which is configured via LOGIN_TIMEOUT in /etc/login.defs.
Currently, Ctrl-D has no effect when authd-pam is used. Usually, when typing Ctrl-D in a terminal, the input buffer to the reading process is flushed, and, if the buffer is empty, EOF is sent. With sudo the expected behavior is that it doesn't ask for a password again if an empty password was submitted via Ctrl-D. This commit implements that behavior.
Agent-Logs-Url: https://github.com/canonical/authd/sessions/e87699dd-0a45-47c8-ba3e-23f2c57c2b9c Co-authored-by: adombeck <18482300+adombeck@users.noreply.github.com>
On 32-bit architectures, math.MaxInt32 + 1 is larger than the int type, so it causes the test to fail with cmd/authctl/group/set-gid_test.go:52:65: cannot use math.MaxInt32 + 1 (untyped int constant 2147483648) as int value in argument to strconv.Itoa (overflows) The fix is to use an int64 instead. refs: https://bugs.launchpad.net/ubuntu/+source/authd/+bug/2148363
Bumps the minor-updates group with 1 update: [github.com/mattn/go-sqlite3](https://github.com/mattn/go-sqlite3). Updates `github.com/mattn/go-sqlite3` from 1.14.38 to 1.14.41 - [Release notes](https://github.com/mattn/go-sqlite3/releases) - [Commits](mattn/go-sqlite3@v1.14.38...v1.14.41) --- updated-dependencies: - dependency-name: github.com/mattn/go-sqlite3 dependency-version: 1.14.41 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-updates ... Signed-off-by: dependabot[bot] <support@github.com>
govulncheck reports the following vulnerabilities in go1.25.8: Vulnerability #1: GO-2026-4947 Unexpected work during chain building in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2026-4947 Standard library Found in: crypto/x509@go1.25.8 Fixed in: crypto/x509@go1.25.9 Example traces found: Error: #1: cmd/authd-oidc/daemon/daemon_test.go:211:18: daemon_test.TestAppCanSigHupWithoutExecute calls io.Copy, which eventually calls x509.Certificate.Verify Vulnerability #2: GO-2026-4946 Inefficient policy validation in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2026-4946 Standard library Found in: crypto/x509@go1.25.8 Fixed in: crypto/x509@go1.25.9 Example traces found: Error: #1: cmd/authd-oidc/daemon/daemon_test.go:211:18: daemon_test.TestAppCanSigHupWithoutExecute calls io.Copy, which eventually calls x509.Certificate.Verify Vulnerability #3: GO-2026-4870 Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls More info: https://pkg.go.dev/vuln/GO-2026-4870 Standard library Found in: crypto/tls@go1.25.8 Fixed in: crypto/tls@go1.25.9 Example traces found: Error: #1: internal/testutils/provider.go:104:14: testutils.StartMockProviderServer calls httptest.Server.Start, which eventually calls tls.Conn.HandshakeContext Error: #2: cmd/authd-oidc/daemon/daemon_test.go:211:18: daemon_test.TestAppCanSigHupWithoutExecute calls io.Copy, which eventually calls tls.Conn.Read Error: #3: cmd/authd-oidc/daemon/daemon_test.go:399:14: daemon_test.TestMain calls fmt.Fprintf, which calls tls.Conn.Write Error: #4: internal/broker/broker.go:483:51: broker.Broker.generateUILayout calls oauth2.Config.DeviceAuth, which eventually calls tls.Dialer.DialContext Vulnerability #4: GO-2026-4865 JsBraceDepth Context Tracking Bugs (XSS) in html/template More info: https://pkg.go.dev/vuln/GO-2026-4865 Standard library Found in: html/template@go1.25.8 Fixed in: html/template@go1.25.9 Example traces found: Error: #1: internal/broker/broker.go:138:44: broker.New calls template.Error.Error Error: #2: internal/broker/config.go:306:21: broker.userConfig.registerOwner calls template.Template.Execute Error: #3: internal/broker/config.go:295:46: broker.userConfig.registerOwner calls template.Template.ParseFS Error: #4: internal/providers/msentraid/msentraid.go:417:21: msentraid.Provider.VerifyUsername calls fmt.Sprintf, which eventually calls template.context.String
Bumps the minor-updates group with 2 updates: [github.com/mattn/go-sqlite3](https://github.com/mattn/go-sqlite3) and [golang.org/x/sys](https://github.com/golang/sys). Updates `github.com/mattn/go-sqlite3` from 1.14.41 to 1.14.42 - [Release notes](https://github.com/mattn/go-sqlite3/releases) - [Commits](mattn/go-sqlite3@v1.14.41...v1.14.42) Updates `golang.org/x/sys` from 0.42.0 to 0.43.0 - [Commits](golang/sys@v0.42.0...v0.43.0) --- updated-dependencies: - dependency-name: github.com/mattn/go-sqlite3 dependency-version: 1.14.42 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-updates - dependency-name: golang.org/x/sys dependency-version: 0.43.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-updates ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the minor-updates group with 1 update: [golang.org/x/term](https://github.com/golang/term). Updates `golang.org/x/term` from 0.41.0 to 0.42.0 - [Commits](golang/term@v0.41.0...v0.42.0) --- updated-dependencies: - dependency-name: golang.org/x/term dependency-version: 0.42.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-updates ... Signed-off-by: dependabot[bot] <support@github.com>
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## stable #1488 +/- ##
==========================================
+ Coverage 85.56% 85.63% +0.07%
==========================================
Files 119 119
Lines 7674 7681 +7
Branches 111 111
==========================================
+ Hits 6566 6578 +12
+ Misses 1052 1047 -5
Partials 56 56 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.