Gentoo Archives: gentoo-dev

From: "Diego \\\"Flameeyes\\\" Pettenò" <flameeyes@×××××××××××××.de>
To: gentoo-dev@××××××××××××.org
Subject: [gentoo-dev] Pluggable Hell Part 2: Fixing everything up!
Date: Wed, 30 Mar 2005 20:17:07
1 Ok, second part of my odyssey in PAM implementations.
2 After a day searching for example config files and so on, I found out that
3 Linux-PAM already support the include syntax of openpam since version 0.78.
4 This is useful to our needs, because it allow us to have a single
5 configuration file which works on both openpam and linux-pam.
7 The old syntax is that:
9 class required service=system-auth
11 the new one should be:
13 class include system-auth
15 Now, to start making the changes needed to have complete openpam/linuxpam
16 intercompatibility, there's need of a few changes in tree:
17 - we need a virtual/pam, which could be provided by linux-pam or by openpam;
18 - we need an ebuild for openpam (i've wrote one, but still misses a few
19 points, mainly for the missing thigns here stated)
20 - we need a virtual/pam-modules which could be provided by linux-pam or by a
21 new freebsd-pam-modules (they work also under linux as far as I know... i'll
22 test that better when I'll have the other things working, now is a bit
23 complicated to do), openpam will pdepend on freebsd-pam-modules to provide
24 both in a simple way.
25 - not needed, but surely helpful, sys-libs/pam could be renamed to
26 sys-libs/linux-pam, or sys-libs/Linux-PAM which is it's exact spelling. This
27 way we have a consistent naming scheme
28 - all the dependency on sys-libs/pam should be changed to virtual/pam (also if
29 they use under openpam, until we have fixed everything this
30 could be worked around by the ones using openpam... initially only
31 experimental users should use it, so they should be able to cope with broken
32 configuration files, see next point for solution)
33 - the new ebuilds should add a new configuration file with the new syntax, and
34 should depend on: || ( >=sys-libs/pam-0.78 virtual/pam ). This would fix the
35 previous point, as who is using openpam will use the ~arch packages which
36 will be fixed one by one (by me, submitting patches to maintainers), this way
37 the packages will work out-of-the-box for both g/linux and g/fbsd users (i
38 haven't searched on macosx, but should be, as they have the same userlands of
39 fbsd).
41 I'll work anyway on a pam_stack hack for openpam, also if I'm not sure if,
42 when and how I'll be able to make it work... also I don't like too much
43 messing with security stuff :/
45 Well.. if there's someone (lu_zero? :) ) which doesn't like this solution...
46 comments accepted :)
48 --
49 Diego "Flameeyes" Pettenò