| 1 |
Ok many people today have seen bugs related to "openpam compatibility fixes". |
| 2 |
I think it's better explain what's going on, why I'm filling them and why some |
| 3 |
of them are marked "openpam and amd64 compatibility". |
| 4 |
|
| 5 |
For who doesn't remember, OpenPAM[1] is the PAM implementation used by |
| 6 |
FreeBSD, so also by Gentoo/FreeBSD project. OpenPAM is a base framework which |
| 7 |
actually doesn't provides modules, but just libpam and related utils. |
| 8 |
It's lighter but usually compatible with sys-libs/pam (Linux-PAM actually). |
| 9 |
|
| 10 |
Using PAM, many packages just uses pam_stack.so to provide the same |
| 11 |
authentication scheme as base login (system-auth), but this makes some things |
| 12 |
a bit complex. This because pam_stack.so is a non-standard module which is |
| 13 |
created by RedHat that gentoo "inherited" and which is used by many pamd |
| 14 |
files in the tree. |
| 15 |
|
| 16 |
OpenPAM and Linux-PAM 0.78 provides the same functionality of pam_stack.so as |
| 17 |
"include directive", so something like |
| 18 |
|
| 19 |
auth required pam_stack.so service=system-auth |
| 20 |
|
| 21 |
can be changed in |
| 22 |
|
| 23 |
auth include system-auth |
| 24 |
|
| 25 |
and works fine both on >=sys-libs/pam-0.78 and openpam (G/FBSD). |
| 26 |
|
| 27 |
I'm walking in the tree to fix packages which uses pam_stack.so and submit |
| 28 |
bugs for them, so to use include directive. Some of them just uses a pamd |
| 29 |
file which includes system-auth, in this case I reported them to use |
| 30 |
pamd_mimic_system which is a function I wrote in pam eclass[2], which is |
| 31 |
still not in portage as it's waiting for Azarah's review. This because using |
| 32 |
that function you save from have one more file in the tree. |
| 33 |
|
| 34 |
Main issue with changing the files is that the minimum version required by the |
| 35 |
include directive for sys-libs/pam is 0.78, which is in ~arch for now. This |
| 36 |
means that packages needs to revbump to fix the dependency. The version |
| 37 |
requirement is already taken care by virtual/pam virtual which is provided by |
| 38 |
the right ebuilds. |
| 39 |
|
| 40 |
Now, why amd64 is involved in this? |
| 41 |
Many pamd files specifies the entire path to the modules they use, so for |
| 42 |
example, to use pam_stack, they use /lib/security/pam_stack.so . |
| 43 |
This is valid now, but in no-lib32 profile for amd64, where /lib points to the |
| 44 |
32-bit version instead of 64-bit as it does now, it will fail. |
| 45 |
Avoid using hte fullpath but just the pam module's name, fixes the problem |
| 46 |
both for amd64 and for openpam (openpam installs modules in /usr/lib). |
| 47 |
|
| 48 |
This is ok for the pamd files in tree, for which I'll take care to report |
| 49 |
fixes to maintainers, but the problem is for packages which doesn't install |
| 50 |
the pamd file from the tree but from their own sources. In those cases, I |
| 51 |
can't do much, as I don't know all the packages in the tree to fix them, and |
| 52 |
I the ones I use I already take care of. |
| 53 |
|
| 54 |
So if you are a maintainer who knows that your package installs a pamd file, |
| 55 |
drop a line to me (mail or irc) and I'll take care of looking at it for |
| 56 |
eventual openpam/amd64 compatibility fixes. This can also be done in a second |
| 57 |
moment for g/fbsd, but there can be problems with amd64, and fixing soon all |
| 58 |
the packages is still important. |
| 59 |
|
| 60 |
Oh please note that not just pamd files needs fixes for G/FBSD, but also pam |
| 61 |
modules, so I may need to take a look also to some packages which installs |
| 62 |
pam modules. A full tracker for pam issues with g/fbsd is on bug #93119[3]. |
| 63 |
|
| 64 |
[1] http://www.openpam.org/ |
| 65 |
[2] https://bugs.gentoo.org/show_bug.cgi?id=93118 |
| 66 |
[3] https://bugs.gentoo.org/show_bug.cgi?id=93119 |
| 67 |
-- |
| 68 |
Diego "Flameeyes" Pettenò |
| 69 |
Gentoo Developer (Gentoo/FreeBSD, Video, Gentoo/AMD64) |
| 70 |
|
| 71 |
http://dev.gentoo.org/~flameeyes/ |
Archives