[Pkg-shadow-devel] [PATCH 0/5] Make shadow more robust in hostile environments
Dimitri John Ledkov
dimitri.j.ledkov at intel.com
Mon Mar 30 09:55:04 UTC 2015
On 22 March 2015 at 06:04, Mike Frysinger <vapier at gentoo.org> wrote:
> On 20 Mar 2015 13:49, Dimitri John Ledkov wrote:
>> * during testing I have noticed that when shadow is compiled with PAM
>> support, settings that are not-applicable any more, but present in
>> the stock /etc/login.defs are being complained about. So I made a
>> change for shadow to not complain about well-known settings, which
>> are not in effect when compiled with PAM support. If this is
>> undesirable, maybe instead we would want to pre-process login.defs
>> at compile time to make sure they do not contain any unknown
>> settings in a given configuration (with/without pam, with/without
>> subuids, etc.)
>
> i think it is desirable to warn. i've gotten reports where users tried to
> modify the file while using pam and were surprised by the result. in Gentoo,
> we process the file during install when pam is on so each of the options gets
> a banner above it:
> # NOTE: This setting should be configured via /etc/pam.d/ and not in this file.
>
> if shadow itself did that munging, it'd be nice
> -mike
Ok, I'll work on fixing that.
--
Regards,
Dimitri.
https://clearlinux.org
Open Source Technology Center
Intel Corporation (UK) Ltd. - Co. Reg. #1134945 - Pipers Way, Swindon SN3 1RJ.
More information about the Pkg-shadow-devel
mailing list