[Pkg-shadow-devel] Re: {user,group}{add,mod,del} now PAMified

Steve Langasek vorlon at debian.org
Wed Nov 9 10:18:08 UTC 2005 

On Tue, Nov 08, 2005 at 12:34:54AM +0200, Alexander Gattin wrote:

> On Mon, Nov 07, 2005 at 05:37:05AM -0800, Steve Langasek wrote:
> > > Steve, I'm not sure why you wish to revert to the non-PAMified versions.

> > Because I can't figure out what this PAM support is actually good for in the
> > real world, and all other things being equal, the simpler design is always
> > better.  So far, all of the use cases I've heard suggested for PAM support
> > in these particular tools are AFAICT entirely theoretical.

> OK, so if I provide you with a grsec policy which restricts
> root from changing:
>  /etc/{passwd,group,shadow,gshadow},
>  /etc/pam.d/{passwd,gpasswd,chsh,chfn,chage}
>  /etc/pam.d/{user,group}{add,del,mod}
>  /usr/bin/{passwd,gpasswd,chsh,chfn,chage},
>  /usr/sbin/{user,group}{add,del,mod},
>  (and libraries used by above binaries)

> allows writing to /etc/{passwd,group,shadow,gshadow}
> only with:
>  /usr/bin/{passwd,gpasswd,chsh,chfn,chage}
>  /usr/sbin/{user,group}{add,del,mod}

> will you beleive that there exists practical use for PAM
> in {user,group}{add,del,mod} e.g. for restricting root?

Sure, if you also tell me that someone is *using* this grsec policy,
together with a non-default PAM config for the user* and group* tools... :)

I understand how it *could* be used; I'm just not convinced that it's
generally worthwhile, or that it's worth the extra complexity.

> Also, PAM could be used for mounting files R/W then
> remounting R/O back after session terminates...

So could a shell wrapper in /usr/local/sbin, though...?  If there's no
actual need for authentication/authorization functionality, I don't think
it makes sense to use PAM just on the theory that people *could* write PAM
modules to extend functionality.

Anyway, not my package; if my arguments aren't persuasive, I'm sure that
I'll survive having a few more files under /etc/pam.d, I just don't think
it's a very good design choice.

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon at debian.org                                   http://www.debian.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20051109/11b86774/attachment.pgp

More information about the Pkg-shadow-devel mailing list