IDEA: /etc/pam.d/*/*
Luke Kenneth Casson Leighton
lkcl at lkcl.net
Sun Jul 25 09:57:39 UTC 2004
there is a minor issue of inter-dependence of packages that may
be resolved by applying the usual debian approach of
"if-it-was-a-config-file-make-it-a-directory".
the issue is that Debian has to cater for SELinux being
installed and not installed.
openssh, login, kdm, gdm, su and several other packages all
require "session pam_selinux.so required" to be added to
their respective /etc/pam.d/XXX configurations in order for
SE/Linux to operate correctly.
Redhat is solving the issue by always enabling SE/Linux by
default.
Debian has no such luxury.
therefore, openssh etc. etc. cannot accept upstream patches
to have /etc/pam.d/ssh include that line by default, because
if you do, and pam_selinux.so is not installed, you're hosed.
one possible solution is to turn, exactly as was done with
pam.conf into pam.d several years ago, the contents of
the pam.d files into directories.
now, in this case, an ordering is required, and so the same
thing can be done as with /etc/rc?.d/* and /etc/exim4/conf.d
namely to have a number NN[N][N] at the front of the config.
what this allows people to do is to install pam, and to install
selinux, and for there to NOT be an inter-dependence between
the two, and for there NOT to have to be a special openssh-selinux
with only a single file different (a different /etc/pam.d/ssh)
and likewise for all other packages.
in other words, the contents of /etc/pam.d/ssh get split into
a directory, /etc/pam.d/ssh, as follows:
000_nonroot:
# Disallow non-root logins when /etc/nologin exists.
auth required pam_nologin.so
100_stdunix:
# Standard Un*x authentication.
@include common-auth
# Standard Un*x authorization.
@include common-account
# Standard Un*x session setup and teardown.
@include common-session
etc. etc.
and then, you can install a separate pam-selinux package that
blats into the mix:
800_selinux:
session required pam_selinux.so
reckon?
l.
More information about the Pam-list
mailing list