[Pkg-shadow-devel] Bug#249372: "Please enable login for GNU/Hurd": Can someone summarize this bug report?

[Alexander Gattin]

Hi!

On Mon, Oct 10, 2005 at 12:54:59AM +0200, Nicolas François wrote:
> Here is the (I hope complete list) of variables used by the shadow
> utilities (I hope it is not in dead code), sorted by package/utility and
> by variable.

Thanks a lot for this job.

> I did not find any differences with or without the patch 404 (so this list
> should be maintained after the re-PAMification).

There are no differences because PAM-ification of
e.g. useradd/userdel and usermod does not _replace_
anything but only _adds_ PAM auth there. The same for
group{add,mod,del}.

chsh/chfn are not affected by 404th patch, so replacing
> 	if (!amroot && getdef_bool ("CHSH_AUTH"))
> 		passwd_check (pw->pw_name, pw->pw_passwd, "chsh");
with _empty_ PAM auth was done earlier, that's why
current chfn/chsh don't ask for user's passwd at all.
Now Tomasz inserted valid PAM auth code there.

CHSH_AUTH/CHFN_AUTH weren't documented in login.defs at
all, now I'm adding them to OBSOLETED BY PAM section.

> I've made this list by checking which getdef_* calls were linked in the
> utilities,

by objdump -t? or by what means?

> and then by (quickly) checking wether these getdef_ were really
> used. (So it may not be exact).

We will research this with time.
Anyway, as it appears, most hard "users" of login.defs
are still /bin/login and /bin/su

> variables used in both passwd and login packages:
> GETPASS_ASTERISKS (maybe newgrp should be PAMified?), CONSOLE_GROUPS
> (maybe expiry should be PAMified?)

PAM-ification of newgrp won't help with
GETPASS_ASTERISKS because this is not user
authentication and can't be handled by PAM now.

CONSOLE_GROUPS in expiry is another interesting thing,
I'm not sure about PAM-ification here, but it may
really help, I think, although there is a problem with
"auth pam_unix.so", which will prompt for password,
while pam_permit.so won't grant membership in groups...

-- 
WBR,
xrgtn