1 |
Richard Freeman <rich@××××××××××××××.net> posted |
2 |
472DB4C5.60100@××××××××××××××.net, excerpted below, on Sun, 04 Nov 2007 |
3 |
07:02:13 -0500: |
4 |
|
5 |
> Mark Knecht wrote: |
6 |
>> OK, knowing as you all do that I'm a non-admin sort of person these |
7 |
>> sort of instructions - the |
8 |
>> 2 paragraphs at the end - scare me. I hate having to guess what anyone |
9 |
>> means. |
10 |
>> |
11 |
>> lightning pam.d # qfile -o /etc/pam.d/* /etc/pam.d/gdmconfig |
12 |
>> /etc/pam.d/xdm |
13 |
>> lightning pam.d # |
14 |
>> |
15 |
>> |
16 |
> I was having the same problems earlier in the week. The solution is |
17 |
> actually pretty simple. The output above indicates that xdm and |
18 |
> gdmconfig aren't being used any longer - they're orphans. I just moved |
19 |
> the files elsewhere (for temporary safe-keeping), and upgraded PAM, and |
20 |
> there were no issues. All the files that used the obsolete functions |
21 |
> were upgraded some time ago apparently - but if you have a system that |
22 |
> has been upgraded year-after-year apparently there are orphan files that |
23 |
> date WAY back... |
24 |
> |
25 |
> However, I agree that PAM is one of those things that everybody depends |
26 |
> on but otherwise seems to behave like black magic for most people. I've |
27 |
> yet to see a guide on PAM that actually makes it easy to understand. |
28 |
|
29 |
Agreed with getting the stale files out of the way... remember where you |
30 |
put them in case you need them, and setup a reminder if you like, to |
31 |
delete them in a month or so if nothing goes wrong. That's a pretty |
32 |
generic one-size-fits-all solution for "mystery files". =8^) |
33 |
|
34 |
The idea with pam_stack.so is to remove from your active config anything |
35 |
that mentions it. So after removing any stale files, search/grep/ |
36 |
whatever the dir for anything else containing pam_stack.so. Those are |
37 |
the files and lines that must be changed, because pam_stack.so no longer |
38 |
exists after the upgrade. |
39 |
|
40 |
As for pam_console.so, let's illustrate what it does with an example, |
41 |
we'll say the sound devices. On Gentoo by default they are set |
42 |
accessible by the audio group. Now consider an office machine used by a |
43 |
number of folks in the office, all who have users in the audio group. |
44 |
Say someone's working at the machine, and his co-worker decides to play a |
45 |
prank. Logging in remotely from another machine, since he's in the audio |
46 |
group, he turns up the volume and plays a nice juicy fart sound! |
47 |
Obviously that could be rather embarrassing! =8^) |
48 |
|
49 |
That is of course an amusing example, but there are more security |
50 |
oriented ones as well. What pam_console does is provide a way to |
51 |
dynamically control permissions for various system devices based on who |
52 |
is actually logged on at the console. It's specific user permissions |
53 |
rather than general group permissions, but they are effective only when |
54 |
the user is logged in. |
55 |
|
56 |
Unfortunately, pam_console seriously "complexifies" administration, |
57 |
because now instead of having to worry about permissions in one or two |
58 |
spots (udev config and perhaps device specific settings elsewhere), |
59 |
there's a third spot as well, and what's even worse, the dynamic behavior |
60 |
makes it harder to troubleshoot. Worst of all, depending on login |
61 |
method, some sessions, particularly X sessions, aren't considered console |
62 |
sessions at all. Thus, it's possible for a user to be sitting at the |
63 |
machine and actively working in X, but not be considered "logged in" at |
64 |
the console, in which case all those permissions pam_console is supposed |
65 |
to grant won't apply, and the user (and admin) are often left trying to |
66 |
figure out why the user doesn't have the permissions udev and etc say he |
67 |
SHOULD have! |
68 |
|
69 |
So while pam_console has its place on a system used by many separate user |
70 |
logins, Gentoo devs eventually got tired of tracking down the related |
71 |
permissions issues and decided it was better to have pam_console as a |
72 |
separate package and disabled by default. "And Gentoo users and admins |
73 |
everywhere danced with joy!" =8^) |
74 |
|
75 |
So that's the story behind pam_console -- you were right, it /should/ be |
76 |
left commented, unless you want to seriously "complexify" your |
77 |
administrative duties. =8^) |
78 |
|
79 |
-- |
80 |
Duncan - List replies preferred. No HTML msgs. |
81 |
"Every nonfree program has a lord, a master -- |
82 |
and if you use the program, he is your master." Richard Stallman |
83 |
|
84 |
-- |
85 |
gentoo-amd64@g.o mailing list |