[Buildroot] [PATCH 2/2] Provide PAM default configuration files when building linux-pam package
Yann E. MORIN
yann.morin.1998 at free.fr
Tue Sep 4 17:52:39 UTC 2012
Dmitry, All,
On Tuesday 04 September 2012 19:33:08 Dmitry Golubovsky wrote:
> On Tue, Sep 4, 2012 at 1:02 PM, Yann E. MORIN <yann.morin.1998 at free.fr> wrote:
> > I think that this patch, which adds the default files, should come
> > _before_ the busybox patch. If only the busybox patch were to be
> > applied, then PAM would not be useable as it would lack those files.
> >
> > In the current order, iIt would also break 'bisectability'.
>
> This patch was a "reasonable compromise" to have a somewhat working
> system emulating PAM-less behavior when PAM is enabled in login and no
> proper PAM configs are provided.
> I think that in a real project, a post-build filesystem fix should
> replace these files with something more sensible (like mine does).
Ah, OK I get it. With these two files, even if no PAM configuration is
provided by other means, it would behave as if PAM was not enabled. Right?
> Regarding ordering, I'll try to switch the order.
Yes, because without this patch, if linux-pam is enabled, and PAM is
enabled in busybox (which is possible with the previous patch), what
would be the behaviour?
I guess that, without its config files, PAM would not allow anything,
right?
If so, then the default files should come _before_ they are required.
> >> +#
> >> +# default; standard UN*X access
> >> +#
> >> +auth required pam_unix.so
> >> +account required pam_unix.so
> >> +password required pam_unix.so
> >> +session required pam_unix.so
> >> +
> >
> > I am not a PAM expert, so I can't say whether these settings are correct,
> > enough, or whatever. I'd trust close to anybody on this subject. ;-)
>
> This is an example from PAM documentation:
OK, good! :-)
> >> +define LINUX_PAM_CONFFILES
> >> + $(INSTALL) -D -m 0644 package/linux-pam/default $(TARGET_DIR)/etc/pam.d/default
> >> + $(INSTALL) -D -m 0644 package/linux-pam/login $(TARGET_DIR)/etc/pam.d/login
> >
> > I'd use:
> > $(INSTALL) -D -m 0644 $(@D)/default $(TARGET_DIR)/etc/pam.d/default
>
> But $(@D) is the build directory, while the files are part of
> Buildroot package rather than PAM itself. $(@D) is to my understanding
> output/build/linux-pam-x.y.z
Gah, my bad...
This morning's cafeine dose is no longer having any effect... :-(
> > Also, shouldn't these files get special permission (ie. redable only by
> > root, or stuff like that)? If so, then use:
> > LINUX_PAM_PERMISSIONS = .....
>
> Not sure if that's needed: they do not have anything secret, just
> nobody other than root can change them.
OK, I just checked on my distro, and indeed there're world-readable.
/etc/shadow is not, however, and that was what I probably was thinking
about (damn lack of cafeine is kicking again...)
> > At the risk of adding to the option maze, I'd suggest at least adding
> > a config knob to enable that. For example:
[--SNIP--]
> I'm afraid this is too much. And it should be provided for the
> PAM-less config as well.
Yep.
> One who wants to use PAM will likely design a proper authentication
> scheme and provide their own better PAM configs.
Granted.
> > IMNSHO, the defaut should be a secure system.
> But it is not by default: root can login w/o password
Yep again, indeed.
If you resubmit with the ordering reversed, you can add my:
Acked-by: "Yann E. MORIN" <yann.morin.1998 at free.fr>
for this patch (I'll review the other later).
Thanks for bearing with me. ;-)
Regards,
Yann E. MORIN.
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 223 225 172 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
More information about the buildroot
mailing list