[Pkg-shadow-devel] Re: [Pkg-shadow-commits] r560 - trunk

Alexander Gattin xrgtn at yandex.ru
Sun Oct 2 18:08:49 UTC 2005 

Hi!

On Sun, Oct 02, 2005 at 05:12:46PM +0000, Alexander Gattin wrote:
> +NOTE: maybe instead of custom authentication and authorisation it's time to
> +      start using PAM authentication and only keep custom authorisation
> +      (which allows root to change anyone's shell, while allows anyone to
> +      change her own only)?
> +      This would involve using slightly different pam.d/chsh (and pam.d/chfn)
> +      -- I mean add pam_rootok there.

I hope my intentions are clear here. I just think that
chsh/chfn should be pam-ified the same way as chpasswd
and other utils.

At first step, authentication should be pam-ified, i.e.
pam_authenticate() used instead of the current
passwd_check():
> #ifndef USE_PAM
> 	/*
> 	 * Non-privileged users are optionally authenticated (must enter the
> 	 * password of the user whose information is being changed) before
> 	 * any changes can be made. Idea from util-linux chfn/chsh. 
> 	 * --marekm
> 	 */
> 	if (!amroot && getdef_bool ("CHFN_AUTH"))
> 		passwd_check (pw->pw_name, pw->pw_passwd, "chfn");
> 
> #endif				/* !USE_PAM */
Simultaneously pam.d files for chsh and chfn should be
changed to include pam_rootok (to mimic old behaviour)
-- see attachment.

As for authorisation and allowing updates to
LDAP/whatever else backends, this would be planned for
future, but IMHO Debian will use only lowlevel features
of shadow suite, anyway, so this is not of our primary
interest.

P.S.
Previously authentication was performed always,
currently only in non-PAM mode AFAIS. I think we should
stick to old behaviour. Either by using pam_start(),
pam_authenticate() etc. (i.e. by pefrorming full-blown
pam-ification) or by "#undef USE_PAM"...

-- 
WBR,
xrgtn
-------------- next part --------------
Index: debian/passwd.chfn.pam
===================================================================
--- debian/passwd.chfn.pam	(revision 559)
+++ debian/passwd.chfn.pam	(working copy)
@@ -2,6 +2,10 @@
 # The PAM configuration file for the Shadow `chfn' service
 #
 
+# This allows root to change user infomation without being
+# prompted for a password
+auth		sufficient	pam_rootok.so
+
 # The standard Unix authentication modules, used with
 # NIS (man nsswitch) as well as normal /etc/passwd and
 # /etc/shadow entries.
Index: debian/passwd.chsh.pam
===================================================================
--- debian/passwd.chsh.pam	(revision 559)
+++ debian/passwd.chsh.pam	(working copy)
@@ -7,6 +7,10 @@
 # accounts with special shells from changing them.
 auth       required   pam_shells.so
 
+# This allows root to change user shell without being
+# prompted for a password
+auth		sufficient	pam_rootok.so
+
 # The standard Unix authentication modules, used with
 # NIS (man nsswitch) as well as normal /etc/passwd and
 # /etc/shadow entries.

More information about the Pkg-shadow-devel mailing list