[gentoo-dev] Pluggable Hell Part 2: Fixing everything up!

["Diego \"Flameeyes\" Pettenò" <flameeyes@users.berlios.de>]

[-- Attachment #1: Type: text/plain, Size: 2532 bytes --]

Ok, second part of my odyssey in PAM implementations.
After a day searching for example config files and so on, I found out that 
Linux-PAM already support the include syntax of openpam since version 0.78.
This is useful to our needs, because it allow us to have a single 
configuration file which works on both openpam and linux-pam.

The old syntax is that:

class required pam_stack.so service=system-auth

the new one should be:

class include system-auth

Now, to start making the changes needed to have complete openpam/linuxpam 
intercompatibility, there's need of a few changes in tree:
- we need a virtual/pam, which could be provided by linux-pam or by openpam;
- we need an ebuild for openpam (i've wrote one, but still misses a few 
points, mainly for the missing thigns here stated)
- we need a virtual/pam-modules which could be provided by linux-pam or by a 
new freebsd-pam-modules (they work also under linux as far as I know... i'll 
test that better when I'll have the other things working, now is a bit 
complicated to do), openpam will pdepend on freebsd-pam-modules to provide 
both in a simple way.
- not needed, but surely helpful, sys-libs/pam could be renamed to 
sys-libs/linux-pam, or sys-libs/Linux-PAM which is it's exact spelling. This 
way we have a consistent naming scheme
- all the dependency on sys-libs/pam should be changed to virtual/pam (also if 
they use pam_stack.so under openpam, until we have fixed everything this 
could be worked around by the ones using openpam... initially only 
experimental users should use it, so they should be able to cope with broken 
configuration files, see next point for solution)
- the new ebuilds should add a new configuration file with the new syntax, and 
should depend on: || ( >=sys-libs/pam-0.78 virtual/pam ). This would fix the 
previous point, as who is using openpam will use the ~arch packages which 
will be fixed one by one (by me, submitting patches to maintainers), this way 
the packages will work out-of-the-box for both g/linux and g/fbsd users (i 
haven't searched on macosx, but should be, as they have the same userlands of 
fbsd).

I'll work anyway on a pam_stack hack for openpam, also if I'm not sure if, 
when and how I'll be able to make it work... also I don't like too much 
messing with security stuff :/

Well.. if there's someone (lu_zero? :) ) which doesn't like this solution... 
comments accepted :)

-- 
Diego "Flameeyes" Pettenò
http://wwwstud.dsi.unive.it/~dpetteno/

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]