[gentoo-amd64] Problems with pam-0.99 upgrade

[gentoo-amd64] Problems with pam-0.99 upgrade

[Mark Knecht]

I'm doing an emerge system and running into questions on the pam
upgrade. I'd like to get this right before I reboot, etc., as I think
this could cause me to be unable to login if it was done wrong.

Anyway, the upgrade instructions point to this web page:

http://www.gentoo.org/proj/en/base/pam/upgrade-0.99.xml

I think the only important instructions - please correct me if I'm
wrong - are included here:

<QUOTE>
Code Listing 1.2: Replace pam_stack usage with the include directive

(The old configuration)
auth    required     pam_stack.so    service=system-auth

(Replace it with this)
auth    include      system-auth

Important: There are four facilities in PAM configuration: auth,
account, password and session. You need to update the configuration
files for all of them, not just auth.

Please note that you might also need to reorder the calls when making
this change, as sometimes modules like pam_nologin were listed after
pam_stack, even though they now need to be listed before the include
directive.
<QUOTE>

OK, knowing as you all do that I'm a non-admin sort of person these
sort of instructions - the
2 paragraphs at the end - scare me. I hate having to guess what anyone means.

lightning pam.d # qfile -o /etc/pam.d/*
/etc/pam.d/gdmconfig
/etc/pam.d/xdm
lightning pam.d #

OK, so do I need to edit these two files only and not the ones shown
in the example on the Wiki page?

When I look at doing the edits I'll show both the files unedited first:

lightning pam.d # cat /etc/pam.d/gdmconfig
#%PAM-1.0
auth       sufficient   /lib/security/pam_rootok.so
auth       required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_permit.so
session    optional     /lib/security/pam_xauth.so
account    required     /lib/security/pam_permit.so
lightning pam.d #

lightning pam.d # cat /etc/pam.d/xdm
#%PAM-1.0
auth       required    pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    optional     pam_console.so
lightning pam.d #

So, what needs to be edited and what shouldn't be touched? As a guess,
which I'm hoping someone here can bless as I don't understand what
this is doing, I'd propose these changes:

/etc/pam.d/gdmconfig

#%PAM-1.0
auth       sufficient   /lib/security/pam_rootok.so
auth        include      system-auth
session    required     /lib/security/pam_permit.so
session    optional     /lib/security/pam_xauth.so
account    required     /lib/security/pam_permit.so


and possibly...

lightning pam.d # cat /etc/pam.d/xdm

#%PAM-1.0
auth       required     pam_nologin.so
auth       include      system-auth
account    include    system-auth
password   include   system-auth
session    include     system-auth
#session    optional     pam_console.so


I'm suggesting I comment out the last line as it appears from the
description that this is/was never used and requires some other
packaged be emerged. Do I need any of that for a normal desktop
machine?

I hope I've given enough information here. If not please let me know
and I'll get what you need ASAP.

Thanks,
Mark
-- 
gentoo-amd64@gentoo.org mailing list

Re: [gentoo-amd64] Problems with pam-0.99 upgrade

[Richard Freeman]

[-- Attachment #1: Type: text/plain, Size: 1580 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark Knecht wrote:
> OK, knowing as you all do that I'm a non-admin sort of person these
> sort of instructions - the
> 2 paragraphs at the end - scare me. I hate having to guess what anyone means.
> 
> lightning pam.d # qfile -o /etc/pam.d/*
> /etc/pam.d/gdmconfig
> /etc/pam.d/xdm
> lightning pam.d #
> 

I was having the same problems earlier in the week.  The solution is
actually pretty simple.  The output above indicates that xdm and
gdmconfig aren't being used any longer - they're orphans.  I just moved
the files elsewhere (for temporary safe-keeping), and upgraded PAM, and
there were no issues.  All the files that used the obsolete functions
were upgraded some time ago apparently - but if you have a system that
has been upgraded year-after-year apparently there are orphan files that
date WAY back...

However, I agree that PAM is one of those things that everybody depends
on but otherwise seems to behave like black magic for most people.  I've
yet to see a guide on PAM that actually makes it easy to understand.
(There are TONS of guides that ATTEMPT to make it easy to understand,
but every one I've seen falls far short).  I considered it a major
accomplishment when I was able to hack my sshd PAM config to restrict
logins to a list of particular accounts...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHLbS3G4/rWKZmVWkRArPOAJwPJuIUe8tJkacz5jmyzaImNFaTjgCdF8k/
++g0HXiS7/ZPaUOMk6YY+OA=
=q/hy
-----END PGP SIGNATURE-----

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 4101 bytes --]

Re: [gentoo-amd64] Problems with pam-0.99 upgrade

[Mark Knecht]

On 11/4/07, Richard Freeman <rich@thefreemanclan.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Mark Knecht wrote:
> > OK, knowing as you all do that I'm a non-admin sort of person these
> > sort of instructions - the
> > 2 paragraphs at the end - scare me. I hate having to guess what anyone means.
> >
> > lightning pam.d # qfile -o /etc/pam.d/*
> > /etc/pam.d/gdmconfig
> > /etc/pam.d/xdm
> > lightning pam.d #
> >
>
> I was having the same problems earlier in the week.  The solution is
> actually pretty simple.  The output above indicates that xdm and
> gdmconfig aren't being used any longer - they're orphans.  I just moved
> the files elsewhere (for temporary safe-keeping), and upgraded PAM, and
> there were no issues.  All the files that used the obsolete functions
> were upgraded some time ago apparently - but if you have a system that
> has been upgraded year-after-year apparently there are orphan files that
> date WAY back...
>
> However, I agree that PAM is one of those things that everybody depends
> on but otherwise seems to behave like black magic for most people.  I've
> yet to see a guide on PAM that actually makes it easy to understand.
> (There are TONS of guides that ATTEMPT to make it easy to understand,
> but every one I've seen falls far short).  I considered it a major
> accomplishment when I was able to hack my sshd PAM config to restrict
> logins to a list of particular accounts...

Richard,
   Thanks for the response. I would have NEVER guessed that this qfile
command was telling me the files that are no longer needed. I should
have read the man page on that.

   Now, was the intent of this Wiki to tell me what didn't need
editing or what did? Seems very strange to me to point out files I
don't need anymore but leave the impression I do.

   Anyway, the machine is working and I apprecaite your help.

Thanks,
Mark
-- 
gentoo-amd64@gentoo.org mailing list

[gentoo-amd64] Re: Problems with pam-0.99 upgrade

[Duncan]

Richard Freeman <rich@thefreemanclan.net> posted
472DB4C5.60100@thefreemanclan.net, excerpted below, on  Sun, 04 Nov 2007
07:02:13 -0500:

> Mark Knecht wrote:
>> OK, knowing as you all do that I'm a non-admin sort of person these
>> sort of instructions - the
>> 2 paragraphs at the end - scare me. I hate having to guess what anyone
>> means.
>> 
>> lightning pam.d # qfile -o /etc/pam.d/* /etc/pam.d/gdmconfig
>> /etc/pam.d/xdm
>> lightning pam.d #
>> 
>> 
> I was having the same problems earlier in the week.  The solution is
> actually pretty simple.  The output above indicates that xdm and
> gdmconfig aren't being used any longer - they're orphans.  I just moved
> the files elsewhere (for temporary safe-keeping), and upgraded PAM, and
> there were no issues.  All the files that used the obsolete functions
> were upgraded some time ago apparently - but if you have a system that
> has been upgraded year-after-year apparently there are orphan files that
> date WAY back...
> 
> However, I agree that PAM is one of those things that everybody depends
> on but otherwise seems to behave like black magic for most people.  I've
> yet to see a guide on PAM that actually makes it easy to understand.

Agreed with getting the stale files out of the way... remember where you 
put them in case you need them, and setup a reminder if you like, to 
delete them in a month or so if nothing goes wrong.  That's a pretty 
generic one-size-fits-all solution for "mystery files". =8^)

The idea with pam_stack.so is to remove from your active config anything 
that mentions it.  So after removing any stale files, search/grep/
whatever the dir for anything else containing pam_stack.so.  Those are 
the files and lines that must be changed, because pam_stack.so no longer 
exists after the upgrade.

As for pam_console.so, let's illustrate what it does with an example, 
we'll say the sound devices.  On Gentoo by default they are set 
accessible by the audio group.  Now consider an office machine used by a 
number of folks in the office, all who have users in the audio group.  
Say someone's working at the machine, and his co-worker decides to play a 
prank.  Logging in remotely from another machine, since he's in the audio 
group, he turns up the volume and plays a nice juicy fart sound!  
Obviously that could be rather embarrassing! =8^)  

That is of course an amusing example, but there are more security 
oriented ones as well.  What pam_console does is provide a way to 
dynamically control permissions for various system devices based on who 
is actually logged on at the console.  It's specific user permissions 
rather than general group permissions, but they are effective only when 
the user is logged in.

Unfortunately, pam_console seriously "complexifies" administration, 
because now instead of having to worry about permissions in one or two 
spots (udev config and perhaps device specific settings elsewhere), 
there's a third spot as well, and what's even worse, the dynamic behavior 
makes it harder to troubleshoot.  Worst of all, depending on login 
method, some sessions, particularly X sessions, aren't considered console 
sessions at all.  Thus, it's possible for a user to be sitting at the 
machine and actively working in X, but not be considered "logged in" at 
the console, in which case all those permissions pam_console is supposed 
to grant won't apply, and the user (and admin) are often left trying to 
figure out why the user doesn't have the permissions udev and etc say he 
SHOULD have!

So while pam_console has its place on a system used by many separate user 
logins, Gentoo devs eventually got tired of tracking down the related 
permissions issues and decided it was better to have pam_console as a 
separate package and disabled by default.  "And Gentoo users and admins 
everywhere danced with joy!" =8^)

So that's the story behind pam_console -- you were right, it /should/ be 
left commented, unless you want to seriously "complexify" your 
administrative duties. =8^)

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

-- 
gentoo-amd64@gentoo.org mailing list

Re: [gentoo-amd64] Problems with pam-0.99 upgrade

[Richard Freeman]

[-- Attachment #1: Type: text/plain, Size: 2123 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark Knecht wrote:
> 
> Richard,
>    Thanks for the response. I would have NEVER guessed that this qfile
> command was telling me the files that are no longer needed. I should
> have read the man page on that.

Well, strictly speaking it points out files that are not owned by any
installed package.  Normally when a file is no longer needed it gets
deleted, but the config protect feature prevents this in /etc.

> 
>    Now, was the intent of this Wiki to tell me what didn't need
> editing or what did? Seems very strange to me to point out files I
> don't need anymore but leave the impression I do.
> 

Hmm - not sure what wiki you're referring to, but the upgrade guide is
at: http://www.gentoo.org/proj/en/base/pam/upgrade-0.99.xml

The text around "qfile -o /etc/pam.d/*" is:
Because of the nature of configuration files, you might still have old
configuration files for packages you already removed, so you should
check first that there are no orphan files (files not belonging to any
package), for instance through the qfile command present in
app-portage/portage-utils.

and

The most common presence of orphan files in /etc/pam.d are the backup
files created by most editors, ending with a tilde character (~). The
remaining files, unless you created them yourself for your particular
setup, should be safe to remove (or at least move away), as they are
probably leftovers from previously installed packages. A special
exception for this is /etc/pam.d/vmware-authd for vmware-server, that is
created by the vmware-config.pl script (but it should be safe to remove
unless you edited it manually, you'll just have to re-execute the script).

Even so, I'll be the first to stand up and proclaim that PAM is confusing.

>    Anyway, the machine is working and I apprecaite your help.
> 

You're very welcome!

Rich
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHLiDdG4/rWKZmVWkRAp6+AKCsOrDvkn4+jCt8sDTLHwjed+6IDgCeKCiZ
WJZAsS6a4hyQh3PgtQyxeXg=
=43rY
-----END PGP SIGNATURE-----

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 4101 bytes --]