From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 31C9C138334 for ; Thu, 26 Dec 2019 21:58:22 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 57001E09ED; Thu, 26 Dec 2019 21:58:21 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 2D97CE09ED for ; Thu, 26 Dec 2019 21:58:21 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id AB99934DBD0 for ; Thu, 26 Dec 2019 21:58:19 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 46F5E35 for ; Thu, 26 Dec 2019 21:58:17 +0000 (UTC) From: "Göktürk Yüksek" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Göktürk Yüksek" Message-ID: <1577397182.b910c781110ada38d6063098d04775ac8bfd77c2.gokturk@gentoo> Subject: [gentoo-commits] proj/devmanual:master commit in: tasks-reference/pam/ X-VCS-Repository: proj/devmanual X-VCS-Files: tasks-reference/pam/text.xml X-VCS-Directories: tasks-reference/pam/ X-VCS-Committer: gokturk X-VCS-Committer-Name: Göktürk Yüksek X-VCS-Revision: b910c781110ada38d6063098d04775ac8bfd77c2 X-VCS-Branch: master Date: Thu, 26 Dec 2019 21:58:17 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 77a905ac-cfe5-4db5-9c59-bef0df603b20 X-Archives-Hash: 734a77f13b5cb15322e5f24eeea185d5 commit: b910c781110ada38d6063098d04775ac8bfd77c2 Author: Mikle Kolyada gentoo org> AuthorDate: Wed Dec 25 18:10:47 2019 +0000 Commit: Göktürk Yüksek gentoo org> CommitDate: Thu Dec 26 21:53:02 2019 +0000 URL: https://gitweb.gentoo.org/proj/devmanual.git/commit/?id=b910c781 tasks-reference/pam: remove needless pam section Closes: https://github.com/gentoo/devmanual/pull/128 Signed-off-by: Mikle Kolyada gentoo.org> Signed-off-by: Göktürk Yüksek gentoo.org> tasks-reference/pam/text.xml | 36 ++++-------------------------------- 1 file changed, 4 insertions(+), 32 deletions(-) diff --git a/tasks-reference/pam/text.xml b/tasks-reference/pam/text.xml index 6aa04d6..62c8ec0 100644 --- a/tasks-reference/pam/text.xml +++ b/tasks-reference/pam/text.xml @@ -16,14 +16,6 @@ With PAM, a program just needs to require authentication for a given login class (defined in a pam.d file), and PAM framework will take care of calling the modules which will provide authentication.

- -

-There are different PAM implementations. Gentoo Linux, by default, uses the -Linux-PAM implementation which is installed via sys-libs/pam; FreeBSD and -NetBSD (and hence Gentoo/FreeBSD) use OpenPAM, which is a minimal version. The -different implementations can provide different authentication modules, and can -differ in some details of the configuration. -

@@ -89,7 +81,7 @@ The statement is composed of 3 or 4 tokens: the module, but this creates problems because not all the systems install the modules in the same place: Linux-PAM on Gentoo is generally set up to load them from /lib/security, but for example on AMD64 this become - /lib64/security, and on OpenPAM they are just in /usr/lib(64). The + /lib64/security. The result is that providing the full path will lead to non-working pamd files, and the right way to handle this is just states the module name the PAM implementation will take care of finding the module. @@ -99,16 +91,6 @@ The statement is composed of 3 or 4 tokens: passed to the module. These are module-dependent. - -

-As the number and the type of modules shipped with the implementation depends on -the implementations themselves (Linux-PAM provides a full working set of -modules, OpenPAM doesn't provide modules at all, and it's the operating system -which provides them, as FreeBSD or NetBSD do), there are just a few modules -which can be used directly in pamd files without the risk of providing a -non-working configuration file: -

-
  • pam_deny.so, pam_permit.so they just report a failure or a success @@ -163,25 +145,15 @@ completely non-portable. It is not used in all the implementations of Linux-PAM

    A solution came when AltLinux developers added a new instruction for the control -token: include. That control token can be used on Linux-PAM 0.78 and on -OpenPAM to do the same as a required pam_stack.so, replacing the module name +token: include. That control token can be used since Linux-PAM 0.78 +to do the same as a required pam_stack.so, replacing the module name with the name of the login class to mimic.

    In this way, instead of loading a module which in turn reloads pam, the option is parsed directly by the PAM implementation which loads the other login class -and takes care of executing it, and the same syntax is valid on both Linux-PAM -and OpenPAM systems. -

    - -

    -New packages (and new versions of old packages) should then use the include -directive instead of pam_stack.so module, but to do that they need to depend -on a later version of sys-libs/pam or on sys-libs/openpam (note: openpam -is for now just on G/FreeBSD's project overlay) to resolve this, -virtual/pam is set up to add the right dependency for the use of the include -directive. +and takes care of executing it.