[gentoo-amd64] Re: Problems with pam-0.99 upgrade - gentoo-amd64

From:	Duncan <1i5t5.duncan@×××.net>
To:	gentoo-amd64@l.g.o
Subject:	[gentoo-amd64] Re: Problems with pam-0.99 upgrade
Date:	Sun, 04 Nov 2007 13:26:18
Message-Id:	`pan.2007.11.04.13.23.48@cox.net`
In Reply to:	Re: [gentoo-amd64] Problems with pam-0.99 upgrade by Richard Freeman

1

Richard Freeman <rich@××××××××××××××.net> posted

2

472DB4C5.60100@××××××××××××××.net, excerpted below, on  Sun, 04 Nov 2007

3

07:02:13 -0500:

4

5

> Mark Knecht wrote:

6

>> OK, knowing as you all do that I'm a non-admin sort of person these

7

>> sort of instructions - the

8

>> 2 paragraphs at the end - scare me. I hate having to guess what anyone

9

>> means.

10

>>

11

>> lightning pam.d # qfile -o /etc/pam.d/* /etc/pam.d/gdmconfig

12

>> /etc/pam.d/xdm

13

>> lightning pam.d #

14

>>

15

>>

16

> I was having the same problems earlier in the week.  The solution is

17

> actually pretty simple.  The output above indicates that xdm and

18

> gdmconfig aren't being used any longer - they're orphans.  I just moved

19

> the files elsewhere (for temporary safe-keeping), and upgraded PAM, and

20

> there were no issues.  All the files that used the obsolete functions

21

> were upgraded some time ago apparently - but if you have a system that

22

> has been upgraded year-after-year apparently there are orphan files that

23

> date WAY back...

24

>

25

> However, I agree that PAM is one of those things that everybody depends

26

> on but otherwise seems to behave like black magic for most people.  I've

27

> yet to see a guide on PAM that actually makes it easy to understand.

28

29

Agreed with getting the stale files out of the way... remember where you 

30

put them in case you need them, and setup a reminder if you like, to 

31

delete them in a month or so if nothing goes wrong.  That's a pretty 

32

generic one-size-fits-all solution for "mystery files". =8^)

33

34

The idea with pam_stack.so is to remove from your active config anything 

35

that mentions it.  So after removing any stale files, search/grep/

36

whatever the dir for anything else containing pam_stack.so.  Those are 

37

the files and lines that must be changed, because pam_stack.so no longer 

38

exists after the upgrade.

39

40

As for pam_console.so, let's illustrate what it does with an example, 

41

we'll say the sound devices.  On Gentoo by default they are set 

42

accessible by the audio group.  Now consider an office machine used by a 

43

number of folks in the office, all who have users in the audio group.  

44

Say someone's working at the machine, and his co-worker decides to play a 

45

prank.  Logging in remotely from another machine, since he's in the audio 

46

group, he turns up the volume and plays a nice juicy fart sound!  

47

Obviously that could be rather embarrassing! =8^)  

48

49

That is of course an amusing example, but there are more security 

50

oriented ones as well.  What pam_console does is provide a way to 

51

dynamically control permissions for various system devices based on who 

52

is actually logged on at the console.  It's specific user permissions 

53

rather than general group permissions, but they are effective only when 

54

the user is logged in.

55

56

Unfortunately, pam_console seriously "complexifies" administration, 

57

because now instead of having to worry about permissions in one or two 

58

spots (udev config and perhaps device specific settings elsewhere), 

59

there's a third spot as well, and what's even worse, the dynamic behavior 

60

makes it harder to troubleshoot.  Worst of all, depending on login 

61

method, some sessions, particularly X sessions, aren't considered console 

62

sessions at all.  Thus, it's possible for a user to be sitting at the 

63

machine and actively working in X, but not be considered "logged in" at 

64

the console, in which case all those permissions pam_console is supposed 

65

to grant won't apply, and the user (and admin) are often left trying to 

66

figure out why the user doesn't have the permissions udev and etc say he 

67

SHOULD have!

68

69

So while pam_console has its place on a system used by many separate user 

70

logins, Gentoo devs eventually got tired of tracking down the related 

71

permissions issues and decided it was better to have pam_console as a 

72

separate package and disabled by default.  "And Gentoo users and admins 

73

everywhere danced with joy!" =8^)

74

75

So that's the story behind pam_console -- you were right, it /should/ be 

76

left commented, unless you want to seriously "complexify" your 

77

administrative duties. =8^)

78

79

--

80

Duncan - List replies preferred.   No HTML msgs.

81

"Every nonfree program has a lord, a master --

82

and if you use the program, he is your master."  Richard Stallman

83

84

--

85

gentoo-amd64@g.o mailing list

1	Richard Freeman <rich@××××××××××××××.net> posted
2	472DB4C5.60100@××××××××××××××.net, excerpted below, on Sun, 04 Nov 2007
3	07:02:13 -0500:
4
5	> Mark Knecht wrote:
6	>> OK, knowing as you all do that I'm a non-admin sort of person these
7	>> sort of instructions - the
8	>> 2 paragraphs at the end - scare me. I hate having to guess what anyone
9	>> means.
10	>>
11	>> lightning pam.d # qfile -o /etc/pam.d/* /etc/pam.d/gdmconfig
12	>> /etc/pam.d/xdm
13	>> lightning pam.d #
14	>>
15	>>
16	> I was having the same problems earlier in the week. The solution is
17	> actually pretty simple. The output above indicates that xdm and
18	> gdmconfig aren't being used any longer - they're orphans. I just moved
19	> the files elsewhere (for temporary safe-keeping), and upgraded PAM, and
20	> there were no issues. All the files that used the obsolete functions
21	> were upgraded some time ago apparently - but if you have a system that
22	> has been upgraded year-after-year apparently there are orphan files that
23	> date WAY back...
24	>
25	> However, I agree that PAM is one of those things that everybody depends
26	> on but otherwise seems to behave like black magic for most people. I've
27	> yet to see a guide on PAM that actually makes it easy to understand.
28
29	Agreed with getting the stale files out of the way... remember where you
30	put them in case you need them, and setup a reminder if you like, to
31	delete them in a month or so if nothing goes wrong. That's a pretty
32	generic one-size-fits-all solution for "mystery files". =8^)
33
34	The idea with pam_stack.so is to remove from your active config anything
35	that mentions it. So after removing any stale files, search/grep/
36	whatever the dir for anything else containing pam_stack.so. Those are
37	the files and lines that must be changed, because pam_stack.so no longer
38	exists after the upgrade.
39
40	As for pam_console.so, let's illustrate what it does with an example,
41	we'll say the sound devices. On Gentoo by default they are set
42	accessible by the audio group. Now consider an office machine used by a
43	number of folks in the office, all who have users in the audio group.
44	Say someone's working at the machine, and his co-worker decides to play a
45	prank. Logging in remotely from another machine, since he's in the audio
46	group, he turns up the volume and plays a nice juicy fart sound!
47	Obviously that could be rather embarrassing! =8^)
48
49	That is of course an amusing example, but there are more security
50	oriented ones as well. What pam_console does is provide a way to
51	dynamically control permissions for various system devices based on who
52	is actually logged on at the console. It's specific user permissions
53	rather than general group permissions, but they are effective only when
54	the user is logged in.
55
56	Unfortunately, pam_console seriously "complexifies" administration,
57	because now instead of having to worry about permissions in one or two
58	spots (udev config and perhaps device specific settings elsewhere),
59	there's a third spot as well, and what's even worse, the dynamic behavior
60	makes it harder to troubleshoot. Worst of all, depending on login
61	method, some sessions, particularly X sessions, aren't considered console
62	sessions at all. Thus, it's possible for a user to be sitting at the
63	machine and actively working in X, but not be considered "logged in" at
64	the console, in which case all those permissions pam_console is supposed
65	to grant won't apply, and the user (and admin) are often left trying to
66	figure out why the user doesn't have the permissions udev and etc say he
67	SHOULD have!
68
69	So while pam_console has its place on a system used by many separate user
70	logins, Gentoo devs eventually got tired of tracking down the related
71	permissions issues and decided it was better to have pam_console as a
72	separate package and disabled by default. "And Gentoo users and admins
73	everywhere danced with joy!" =8^)
74
75	So that's the story behind pam_console -- you were right, it /should/ be
76	left commented, unless you want to seriously "complexify" your
77	administrative duties. =8^)
78
79	--
80	Duncan - List replies preferred. No HTML msgs.
81	"Every nonfree program has a lord, a master --
82	and if you use the program, he is your master." Richard Stallman
83
84	--
85	gentoo-amd64@g.o mailing list

Gentoo Archives: gentoo-amd64