Deprecating pam_stack.so
Tomas Mraz
tmraz at redhat.com
Fri Oct 7 13:01:05 UTC 2005
Linux-PAM 0.78 and later contains include directive which obsoletes
using the pam_stack module. This module is rather a hack as it requires
access to pam library internals for its operation and will never be
accepted to upstream.
The include directive implementation is much cleaner although its
semantics are subtly different. The include works as a real include so
the base file and the included one are processed as if they were first
flattened into one file. The pam_stack module however works as if the
pam was recursively called again with the stacked service.
Arguably the pam_stack model is little bit more "user friendly" as
"sufficient" entries in the stacked service don't bypass modules in the
primary service which came after the pam_stack module. This means that
all existing configuration files for services cannot be blindly modified
but they have to be carefully examinated and modified with the above in
mind.
The pam_stack module probably won't be removed too soon because it would
break upgrades with modified pam configs however I'll probably add some
deprecation message in the system log when it will be used.
Also big warning for people which modify the /etc/pam.d/system-auth file
by hand - never remove the "auth required pam_deny.so" as it will make
some pamified services open to anyone (depending on preceding modules in
the system-auth and the pam config which includes it).
--
Tomas Mraz <tmraz at redhat.com>
More information about the fedora-test-list
mailing list