[Pkg-shadow-devel] Bug#249372: "Please enable login for
GNU/Hurd": Can someone summarize this bug report?
Alexander Gattin
xrgtn at yandex.ru
Mon Oct 10 14:41:29 UTC 2005
On Mon, Oct 10, 2005 at 05:04:32PM +0300, Alexander Gattin wrote:
> > variables used in both passwd and login packages:
> > GETPASS_ASTERISKS (maybe newgrp should be PAMified?), CONSOLE_GROUPS
> > (maybe expiry should be PAMified?)
>
> PAM-ification of newgrp won't help with
> GETPASS_ASTERISKS because this is not user
> authentication and can't be handled by PAM now.
>
> CONSOLE_GROUPS in expiry is another interesting thing,
> I'm not sure about PAM-ification here, but it may
> really help, I think, although there is a problem with
> "auth pam_unix.so", which will prompt for password,
> while pam_permit.so won't grant membership in groups...
oops, stupid assumption -- pam_unix.so does not
initialize user's groups. This should be done
explicitly with initgroups()/setgroups().
But initgroups() in expiry.c:expire():set_uid_gid()
does not create us any problems with CONSOLE_GROUPS, as
the latter is used separately _after_ initgroups() to
set _additional_ groups for a user which are defined in
CONSOLE_GROUPS.
Moreover the set_uid_gid() is itself used only for
mimicing user's environment before executing _passwd_
binary.
Thus, semantically we can PAM-ify expiry in 2 ways:
1. PAM-ify process of setting _additional_ groups for user
(before executing passwd)
2. PAM-ify process of changing password, i.e. replace
_executing_ passwd with usual pam_start(), pam_chauthtok(),
pam_end() sequence
I'd prefer second way mostly because I can't even
imagine what to write in comments in case of 1st
PAM-ification method inside /etc/pam.d/expiry in order
for a sysadmin to understand what are these lines (by
default smth. like "auth optional pam_group.so") intended
for...
--
WBR,
xrgtn
More information about the Pkg-shadow-devel
mailing list