Following yesterday’s post on PAM I decided to get on with the work on PAM, fixed a bug, duped another and then started looking, via the tinderbox, for the configuration files installed by many applications.
It turns out that there is a huge mess in there; some applications use the
pamd_mimic function from pam.eclass (which I wrote myself) to just request the same authentication as the rest of the system. Others install similar pam.d files coming out of upstream distributions; other install the upstream-provided pam.d file that doesn’t suit the Gentoo setup at all.
This actually gave me a nasty headache: I had to open a few bugs for the most obvious bad files, but it also has shown me that I need a better system to review the actual validity of the configuration files. For instance, I see lots of password chain entries in the configuration files, but I guess that not all services would have a way to change the system’s password (anything that runs user sessions without root privileges would be unable to change the shadow passwords file).
Now, there is a negligible security concern with not outright deny password changing to those applications; if we were to tighten up security in the PAM area we should probably just add
pam_deny entries for the password chain. What actually worries me is that most of the people maintaining packages using PAM don’t really know enough about it to properly write the PAM configuration files like it was supposed to. Not that I can blame them, I also would have preferred not to know, but it means that I really really really have to find time to work on the PAM documentation, so I can help developers to write the proper configuration files, knowing their software.
This review also has shown me that a lot of packages actually install the same stack: system auth with an additional precondition in the
pam_nologin module. I wonder if I should add a
system-service-login stack that contains that, and use that instead, to merge all these details inside the single pambase package. On a similar note, I also started wondering if it would make sense to have the mailbase and ftpbase package drop the PAM configuration files and also move those into pambase; that way it would be possible to provide fine-tuned configuration files, with the proper module used on FreeBSD to find ftpusers, and similar.
Sincerely, I don’t like having to maintain PAM, I do just because it seems nobody else cares; each time I start looking into it, I do find some things that needs to get addressed but I soon lose the motivation in it. So if you’re interested in these things being cleaned up, please speak up, at least I’ll have some reason to continue working on them.
Greetings Flameeyes,I have been a security professional for many years and I consider the PAM implementation a critical subsystem for any modern operating system, including Gentoo Linux. I know how unglamorous Information Security is, but it is vital for the health and reliability of our community. Please continue your work with the good wishes and support of your peers!
Even though PAM is not overly complex after you understand it, most PAM documentation is needlessly complex. So it would be great for users, as well as developers if you could prepare an easy to follow document about PAM configuration.
As I’m working in a daily newspaper “Kurier Wileński”:http://kurierwilenski.lt/ , whose offices work mostly on FOSS (journalists use Ubuntu, all the internal servers run on Gentoo, and only DTP people still use Mac – and this transition to FOSS was done by me in ~2 years), security and reliability is extremely important to us. Thought that somebody as technically able and experienced as You works on the PAM implementation in Gentoo really is the only thing, that lets me sleep at nights.
The documentation of PAM is not so good, I hate when I must update the pam configs after an update. Every improvement would be a great thing for this crucial piece of software. Please, go on….