[Pkg-shadow-devel] Re: {user,group}{add,mod,del} now PAMified
Alexander Gattin
xrgtn at yandex.ru
Mon Nov 7 22:34:54 UTC 2005
Hi!
On Mon, Nov 07, 2005 at 05:37:05AM -0800, Steve Langasek wrote:
> > Steve, I'm not sure why you wish to revert to the non-PAMified versions.
>
> Because I can't figure out what this PAM support is actually good for in the
> real world, and all other things being equal, the simpler design is always
> better. So far, all of the use cases I've heard suggested for PAM support
> in these particular tools are AFAICT entirely theoretical.
OK, so if I provide you with a grsec policy which restricts
root from changing:
/etc/{passwd,group,shadow,gshadow},
/etc/pam.d/{passwd,gpasswd,chsh,chfn,chage}
/etc/pam.d/{user,group}{add,del,mod}
/usr/bin/{passwd,gpasswd,chsh,chfn,chage},
/usr/sbin/{user,group}{add,del,mod},
(and libraries used by above binaries)
allows writing to /etc/{passwd,group,shadow,gshadow}
only with:
/usr/bin/{passwd,gpasswd,chsh,chfn,chage}
/usr/sbin/{user,group}{add,del,mod}
will you beleive that there exists practical use for PAM
in {user,group}{add,del,mod} e.g. for restricting root?
P.S.
Also, PAM could be used for mounting files R/W then
remounting R/O back after session terminates...
--
WBR,
xrgtn
More information about the Pkg-shadow-devel
mailing list