1 |
Ok many people today have seen bugs related to "openpam compatibility fixes". |
2 |
I think it's better explain what's going on, why I'm filling them and why some |
3 |
of them are marked "openpam and amd64 compatibility". |
4 |
|
5 |
For who doesn't remember, OpenPAM[1] is the PAM implementation used by |
6 |
FreeBSD, so also by Gentoo/FreeBSD project. OpenPAM is a base framework which |
7 |
actually doesn't provides modules, but just libpam and related utils. |
8 |
It's lighter but usually compatible with sys-libs/pam (Linux-PAM actually). |
9 |
|
10 |
Using PAM, many packages just uses pam_stack.so to provide the same |
11 |
authentication scheme as base login (system-auth), but this makes some things |
12 |
a bit complex. This because pam_stack.so is a non-standard module which is |
13 |
created by RedHat that gentoo "inherited" and which is used by many pamd |
14 |
files in the tree. |
15 |
|
16 |
OpenPAM and Linux-PAM 0.78 provides the same functionality of pam_stack.so as |
17 |
"include directive", so something like |
18 |
|
19 |
auth required pam_stack.so service=system-auth |
20 |
|
21 |
can be changed in |
22 |
|
23 |
auth include system-auth |
24 |
|
25 |
and works fine both on >=sys-libs/pam-0.78 and openpam (G/FBSD). |
26 |
|
27 |
I'm walking in the tree to fix packages which uses pam_stack.so and submit |
28 |
bugs for them, so to use include directive. Some of them just uses a pamd |
29 |
file which includes system-auth, in this case I reported them to use |
30 |
pamd_mimic_system which is a function I wrote in pam eclass[2], which is |
31 |
still not in portage as it's waiting for Azarah's review. This because using |
32 |
that function you save from have one more file in the tree. |
33 |
|
34 |
Main issue with changing the files is that the minimum version required by the |
35 |
include directive for sys-libs/pam is 0.78, which is in ~arch for now. This |
36 |
means that packages needs to revbump to fix the dependency. The version |
37 |
requirement is already taken care by virtual/pam virtual which is provided by |
38 |
the right ebuilds. |
39 |
|
40 |
Now, why amd64 is involved in this? |
41 |
Many pamd files specifies the entire path to the modules they use, so for |
42 |
example, to use pam_stack, they use /lib/security/pam_stack.so . |
43 |
This is valid now, but in no-lib32 profile for amd64, where /lib points to the |
44 |
32-bit version instead of 64-bit as it does now, it will fail. |
45 |
Avoid using hte fullpath but just the pam module's name, fixes the problem |
46 |
both for amd64 and for openpam (openpam installs modules in /usr/lib). |
47 |
|
48 |
This is ok for the pamd files in tree, for which I'll take care to report |
49 |
fixes to maintainers, but the problem is for packages which doesn't install |
50 |
the pamd file from the tree but from their own sources. In those cases, I |
51 |
can't do much, as I don't know all the packages in the tree to fix them, and |
52 |
I the ones I use I already take care of. |
53 |
|
54 |
So if you are a maintainer who knows that your package installs a pamd file, |
55 |
drop a line to me (mail or irc) and I'll take care of looking at it for |
56 |
eventual openpam/amd64 compatibility fixes. This can also be done in a second |
57 |
moment for g/fbsd, but there can be problems with amd64, and fixing soon all |
58 |
the packages is still important. |
59 |
|
60 |
Oh please note that not just pamd files needs fixes for G/FBSD, but also pam |
61 |
modules, so I may need to take a look also to some packages which installs |
62 |
pam modules. A full tracker for pam issues with g/fbsd is on bug #93119[3]. |
63 |
|
64 |
[1] http://www.openpam.org/ |
65 |
[2] https://bugs.gentoo.org/show_bug.cgi?id=93118 |
66 |
[3] https://bugs.gentoo.org/show_bug.cgi?id=93119 |
67 |
-- |
68 |
Diego "Flameeyes" Pettenò |
69 |
Gentoo Developer (Gentoo/FreeBSD, Video, Gentoo/AMD64) |
70 |
|
71 |
http://dev.gentoo.org/~flameeyes/ |