[blfs-dev] pam_ck_connector and pam_loginuid
dj at linuxfromscratch.org
Tue Jul 3 18:35:08 PDT 2012
On 07/02/2012 01:47 AM, Armin K. wrote:
> It is not my fault that sudo is broken when it comes to pam. Everything
> else works but it and I don't want to sacrifice everything else for some
> stuff I don't care about. Just don't use system-session in sudo in the
> first place like I do.
Well, that is the problem, sudo isn't broken, it is just doing what it
was told to do. I'm going to disagree with you about sudo including
session defaults (see below), but I'm going to follow your example
nonetheless. I don't particularly like it as it was not what I had
intended when I wrote those files, but it looks like you and Ubuntu do
agree on it. They have added a common-session-noninteractive to handle
this particular use case since I last visited their configuration (for
which I based a good portion of BLFS's PAM configuration, though
minimalist). While I dislike it, seeing as I did base it from theirs,
I'm going to continue to follow their lead and do similar. ck_connector
and loginuid will require no changes in your instructions this way, and
the new can be used for cron and samba later on (as in Ubuntu, so this
might even be expected by some users).
As far as your sudo configuration, for what reason do you not follow the
book? Only the above, or do you go well beyond the minimal defaults? If
so, do you have any other suggestions? I wasn't aware that any other
editors actually used it. While I'm browsing through it, I see a few
other wrinkles, for instance, session limits should probably be added to
system-session as well--while no limits are configured by default, it is
probably surprising to an end user if they make changes and they don't
see them immediately. I'm going to pick through it a little more as our
defaults are getting a little long in the tooth (about 2 years old now).
I'd like to keep pam_unix as a session module in system-session for
logging though. In the case of sudo, it is an easy way to catch abuse
cases of 'sudo su' or 'sudo bash' or similar. Do you have any other
suggestions for the default PAM configuration?
-- DJ Lucas
This message has been scanned for viruses and
dangerous content, and is believed to be clean.
More information about the blfs-dev