[blfs-dev] pam_ck_connector and pam_loginuid

DJ Lucas dj at linuxfromscratch.org
Tue Jul 3 18:35:08 PDT 2012


On 07/02/2012 01:47 AM, Armin K. wrote:
> It is not my fault that sudo is broken when it comes to pam. Everything
> else works but it and I don't want to sacrifice everything else for some
> stuff I don't care about. Just don't use system-session in sudo in the
> first place like I do.
Well, that is the problem, sudo isn't broken, it is just doing what it 
was told to do. I'm going to disagree with you about sudo including 
session defaults (see below), but I'm going to follow your example 
nonetheless. I don't particularly like it as it was not what I had 
intended when I wrote those files, but it looks like you and Ubuntu do 
agree on it. They have added a common-session-noninteractive to handle 
this particular use case since I last visited their configuration (for 
which I based a good portion of BLFS's PAM configuration, though 
minimalist). While I dislike it, seeing as I did base it from theirs, 
I'm going to continue to follow their lead and do similar. ck_connector 
and loginuid will require no changes in your instructions this way, and 
the new can be used for cron and samba later on (as in Ubuntu, so this 
might even be expected by some users).

As far as your sudo configuration, for what reason do you not follow the 
book? Only the above, or do you go well beyond the minimal defaults? If 
so, do you have any other suggestions? I wasn't aware that any other 
editors actually used it. While I'm browsing through it, I see a few 
other wrinkles, for instance, session limits should probably be added to 
system-session as well--while no limits are configured by default, it is 
probably surprising to an end user if they make changes and they don't 
see them immediately. I'm going to pick through it a little more as our 
defaults are getting a little long in the tooth (about 2 years old now). 
I'd like to keep pam_unix as a session module in system-session for 
logging though. In the case of sudo, it is an easy way to catch abuse 
cases of 'sudo su' or 'sudo bash' or similar. Do you have any other 
suggestions for the default PAM configuration?

-- DJ Lucas


-- 
This message has been scanned for viruses and
dangerous content, and is believed to be clean.




More information about the blfs-dev mailing list