Following yesterday’s post on PAM I decided to get on with the work on PAM, fixed a bug, duped another and then started looking, via the tinderbox, for the configuration files installed by many applications.
It turns out that there is a huge mess in there; some applications use the
pamd_mimic function from pam.eclass (which I wrote myself) to just request the same authentication as the rest of the system. Others install similar pam.d files coming out of upstream distributions; other install the upstream-provided pam.d file that doesn’t suit the Gentoo setup at all.
This actually gave me a nasty headache: I had to open a few bugs for the most obvious bad files, but it also has shown me that I need a better system to review the actual validity of the configuration files. For instance, I see lots of password chain entries in the configuration files, but I guess that not all services would have a way to change the system’s password (anything that runs user sessions without root privileges would be unable to change the shadow passwords file).
Now, there is a negligible security concern with not outright deny password changing to those applications; if we were to tighten up security in the PAM area we should probably just add
pam_deny entries for the password chain. What actually worries me is that most of the people maintaining packages using PAM don’t really know enough about it to properly write the PAM configuration files like it was supposed to. Not that I can blame them, I also would have preferred not to know, but it means that I really really really have to find time to work on the PAM documentation, so I can help developers to write the proper configuration files, knowing their software.
This review also has shown me that a lot of packages actually install the same stack: system auth with an additional precondition in the
pam_nologin module. I wonder if I should add a
system-service-login stack that contains that, and use that instead, to merge all these details inside the single pambase package. On a similar note, I also started wondering if it would make sense to have the mailbase and ftpbase package drop the PAM configuration files and also move those into pambase; that way it would be possible to provide fine-tuned configuration files, with the proper module used on FreeBSD to find ftpusers, and similar.
Sincerely, I don’t like having to maintain PAM, I do just because it seems nobody else cares; each time I start looking into it, I do find some things that needs to get addressed but I soon lose the motivation in it. So if you’re interested in these things being cleaned up, please speak up, at least I’ll have some reason to continue working on them.