From: Andreas Schmidt <list@schmidt-andreas.de>
To: ptxdist@pengutronix.de
Subject: Re: [ptxdist] [PATCH] linux-pam: add new package
Date: Thu, 1 Mar 2018 20:27:10 +0100 [thread overview]
Message-ID: <aaa64cfe-8160-1681-0e21-5b2264e8047e@schmidt-andreas.de> (raw)
In-Reply-To: <20180221153707.wheqlqrkvqysxlgm@pengutronix.de>
[-- Attachment #1.1.1.1: Type: text/plain, Size: 8773 bytes --]
Hi Michael,
On 21.02.2018 16:37, Michael Olbrich wrote:
> On Sat, Feb 10, 2018 at 03:09:15PM +0100, Andreas Schmidt wrote:
>> Signed-off-by: Andreas Schmidt <mail@schmidt-andreas.de>
>> ---
>> Hi,
>> this patch should add Linux-PAM libraries, modules, minimal
>> configuration and Linux-PAM applications to ptxdist.
>>
>> [...]
>>
>> I'm looking forward for constructive comments!
> What exactly is the your use-case? What can I do with this rule, the way it
> is now? I'm not an export on PAM. The only use-case I'm familiar with, is
> to use PAM for user authentication. In this case I would expect a some kind
> of integration with busybox (/bin/login) and systemd.
PAM can, but must not, use for authentication management. I used it in
some projects to set rules for creation of new password and
authentication while
login. I am not expert in PAM too, but you can set restriction / limits
for files or file
access or other resources (e.g. pam_limit) and many other things,
mentioned in documentation
of linux-pam.
> In general, I try to avoid adding options blindly for everything. Some
> basic rules:
> - try to provide options for use-cases not files. This works in some cases
> (e.g. 'nfs server' or 'nfs client') but not so well in others (gstreamer
> plugins). A lot of PAM modules are probably have this problem.
Ok, I will try to clean it up. But I am not sure if I have the whole
overview
of all important use-cases.
> - If it adds an external dependency: add an option for it
Yes, will do it so.
> - If it's small just install it unconditionally unless that can be
> problematic.
> This is probably true for the basic modules.
Ok, I think many modules can be add by default, because they needed in
most use-cases.
> - If you think it's probably not useful for embedded, then ignore it. We
> can add more options later.
> Maybe some of the programs?
Ok, e.g. mkhomedir module is in most embedded system useless because
the users are fix and whose homedirs are created on build process, if
homedir
needed at all.
Thanks for comments, I will create new patch. Or do you think that linux-pam
not needed be most users of ptxdist?
>> ---
>> projectroot/etc/pam.conf | 15 +
>> projectroot/etc/pam.d/common-account | 9 +
>> projectroot/etc/pam.d/common-auth | 10 +
>> projectroot/etc/pam.d/common-password | 12 +
>> projectroot/etc/pam.d/common-session | 10 +
>> projectroot/etc/pam.d/other | 8 +
>> projectroot/etc/securetty | 12 +
>> projectroot/etc/shells | 1 +
> Where do these files come from?
From mentioned patches, edited by me.
I will rework them too. I guess they are not consistent, yet.
>> rules/linux-pam.in | 533 ++++++++++++++++++++++++++++++++++
>> rules/linux-pam.make | 182 ++++++++++++
>> 10 files changed, 792 insertions(+)
>> create mode 100644 projectroot/etc/pam.conf
>> create mode 100644 projectroot/etc/pam.d/common-account
>> create mode 100644 projectroot/etc/pam.d/common-auth
>> create mode 100644 projectroot/etc/pam.d/common-password
>> create mode 100644 projectroot/etc/pam.d/common-session
>> create mode 100644 projectroot/etc/pam.d/other
>> create mode 100644 projectroot/etc/securetty
>> create mode 100644 projectroot/etc/shells
>> create mode 100644 rules/linux-pam.in
>> create mode 100644 rules/linux-pam.make
[...]
>> diff --git a/projectroot/etc/shells b/projectroot/etc/shells
>> new file mode 100644
>> index 000000000..c2cdaa0f2
>> --- /dev/null
>> +++ b/projectroot/etc/shells
>> @@ -0,0 +1 @@
>> +/bin/sh
>> diff --git a/rules/linux-pam.in b/rules/linux-pam.in
>> new file mode 100644
>> index 000000000..4aa7dcf7d
>> --- /dev/null
>> +++ b/rules/linux-pam.in
>> @@ -0,0 +1,533 @@
>> +## SECTION=shell_and_console
>> +
>> +menuconfig LINUX_PAM
>> + tristate
>> + prompt "linux-pam"
> add spaces at the end to align the '-->' in menuconfig.
Ok
>> + select FLEX
>> + select DB if LINUX_PAM_USERDB
>> + select LIBSELINUX if LINUX_PAM_SELINUX
> Align the 'if' with tabs.
Ok
>> + help
>> + Linux-PAM is a free implementation of the following DCE-RFC from
>> + Sunsoft. PAM provides a way to develop programs that are
>> + independent of authentication scheme. These programs need
>> + "authentication modules" to be attatched to them at run-time
>> + in order to work. Which authentication module is to be attatched
>> + is dependent upon the local system setup and is at the discretion.
>> +
>> +if LINUX_PAM
>> +
>> +menu "PAM modules"
>> +
>> +config LINUX_PAM_ACCESS
>> + bool
>> + prompt "PAM access module"
>> + help
>> + The pam_access PAM module is mainly for access
>> + management. It provides logdaemon style login access
>> + control based on login names, host or domain names,
>> + internet addresses or network numbers, or on terminal
>> + line names in case of non-networked logins.
>> +
[...]
>> +config LINUX_PAM_SECURETTY
>> + bool
>> + prompt "PAM securetty module"
>> + help
>> + pam_securetty is a PAM module that allows root logins
>> + only if the user is logging in on a "secure" tty, as
>> + defined by the listing in /etc/securetty.
>> + pam_securetty also checks to make sure that
>> + /etc/securetty is a plain file and not world writable.
>> +
>> +config LINUX_PAM_SELINUX
>> + bool
>> + prompt "PAM selinux module"
> This should not have a prompt. If selinux is enabled globally, then the
> support should always be enabled.
Ok
>> + depends on GLOBAL_SELINUX
>> + help
>> + pam_selinux sets up the default security context for the next
>> + shell.
>> +
>> +config LINUX_PAM_SEPERMIT
>> + bool
>> + prompt "PAM sepermit module"
>> + depends on LINUX_PAM_SELINUX
>> +
>> +config LINUX_PAM_SHELLS
>> + bool
>> + prompt "PAM shells module"
>> + help
>> + pam_shells is a PAM module that only allows access to
>> + the system if the users shell is listed in /etc/shells.
>> +
[...]
>> +
>> +config LINUX_PAM_LOCKING
>> + bool
>> + default n
>> + prompt "Locking"
>> + help
>> + Configure libpam to observe a global authentication lock.
> I don't think this should be configurable. Just use a sane default.
Ok
>
>> +
>> +config LINUX_PAM_MAILSPOOL
>> + string
>> + prompt "Mail spool path"
>> + help
>> + Alternative path to mail spool directory or
>> + leave empty for default path (/var/spool/mail).
> No option for this. Just use the default.
Ok
>> +
>> +config LINUX_PAM_RANDOMDEV
>> + bool
>> + default y
>> + prompt "Random decive"
>> + help
>> + Say yes for using random device.
>> +
>> +config LINUX_PAM_RANDOMDEV_PATH
>> + string
>> + prompt "Random device path"
>> + depends on LINUX_PAM_RANDOMDEV
>> + help
>> + Specify random device or leave empty for
>> + default device path (/dev/urandom).
> No, just set it to /dev/urandom, or whatever other linux distros are doing.
Ok
>
>> +
>> +endif
>> +
>> diff --git a/rules/linux-pam.make b/rules/linux-pam.make
>> new file mode 100644
>> index 000000000..a651c8a6f
>> --- /dev/null
>> +++ b/rules/linux-pam.make
>> @@ -0,0 +1,182 @@
>> +# -*-makefile-*-
>> +#
>> +# Copyright (C) 2018 by Andreas Schmidt <mail@schmidt-andreas.de>
>> +#
>> +# See CREDITS for details about who has contributed to this project.
>> +#
>> +# For information about the PTXdist project and license conditions
>> +# see the README file.
>> +#
>> +
>> +#
>> +# We provide this package
>> +#
>> +PACKAGES-$(PTXCONF_LINUX_PAM) += linux-pam
>> +
>> +#
>> +# Paths and names
>> +#
[...]
>> +
>> +# ----------------------------------------------------------------------------
>> +# Target-Install
>> +# ----------------------------------------------------------------------------
>> +
>> +$(STATEDIR)/linux-pam.targetinstall:
>> + @$(call targetinfo)
>> +
>> + @$(call install_init, linux-pam)
>> + @$(call install_fixup, linux-pam,PRIORITY,optional)
>> + @$(call install_fixup, linux-pam,SECTION,base)
>> + @$(call install_fixup, linux-pam,AUTHOR,"Andreas Schmidt <mail@schmidt-andreas.de>")
>> + @$(call install_fixup, linux-pam,DESCRIPTION,missing)
>> +
>> + @$(call install_lib, linux-pam, 0, 0, 0644, libpam)
>> + @$(call install_lib, linux-pam, 0, 0, 0644, libpam_misc)
>> + @$(call install_lib, linux-pam, 0, 0, 0644, libpamc)
>> +
>> + @$(foreach module, $(LINUX_PAM_MOD-y), \
>> + $(call install_copy, linux-pam, 0, 0, 0644, -, /usr/lib/security/pam_$(module).so);)
> Use $(ptx/nl) instead of ';'. This way errors are not ignored. The same for
> all loops below.
Ok
> Michael
Thank you!
Regards,
Andreas
[...]
[-- Attachment #1.1.1.2: 0xBEA6DEA0.asc --]
[-- Type: application/pgp-keys, Size: 3133 bytes --]
[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 801 bytes --]
[-- Attachment #2: Type: text/plain, Size: 91 bytes --]
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
prev parent reply other threads:[~2018-03-01 19:27 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-10 14:09 Andreas Schmidt
2018-02-21 15:37 ` Michael Olbrich
2018-03-01 19:27 ` Andreas Schmidt [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aaa64cfe-8160-1681-0e21-5b2264e8047e@schmidt-andreas.de \
--to=list@schmidt-andreas.de \
--cc=ptxdist@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox