Automatic testing of pam modules
rozelak at volny.cz
rozelak at volny.cz
Mon Jun 30 14:53:03 UTC 2008
> >
> > I primarily patched the latest version to obtain pathnames
> > from environment variables. I also directed system logging
> > to a file. My aim, however, was to modify the original PAM
> > code as little as possible, since I want to reduce the
> > possibility of introducing anomalous behaviors due to the
> > changes themselves (is that Heisencode? :-).
> >
>
> Great! I absolutely agree with the effort not to affect the ordinary
> > PAM (the code used when PAM is integrated within system). Were the
> modifications
> > accepted into PAM project? Could you send me the code with your modifications?
>
It was not send to the PAM project (at least I never got something).
>From what I understand how it works I would also not accept it, since
>it would create a big security hole.
>
Yes, I agree that there must be nothing like security hole in auth-mechanism.
What I don't understand is what kind of security hole you mean - if
this is conditionally built ONLY when a kind of TESTING macro is defined,
resulting in a 'libpamtest' library (to be not in colision with 'libpam'
...). Maybe other mechanisms preventing the use of such test library
by root, or instead of system 'libpam' could be applyed?
> It would be really better to work only with a copy of libpam configured
> with different paths.
> >
> Thorsten
Yes, I use it right now. But from the point of view of (maybe not very
experianced, but still) PAM module developer, I tkink that this solution
is not so flexible to make the development of modules easy, confortable
and testable. Even tests in 'xtest' seems to require cooperation with
system PAM and thus root account (stuff like '/usr/sbin/groupadd tstpamaccess'
in 'tst-pam_access2.sh' ...) - well build with custom paths may help,
but what is the difference between build a 'libpam' with custom paths,
and build a 'libpamtest' which is able to read paths from somewhere
(I do not say that it must be from env variables) any time it is used
(allowing to change a config directory for each test case?). Moreover,
extra testing applications (like 'pamtester') could be build against
'libpamtest', symplifying the need of a custom build of such applications.
And there is also a question of module unit-testing abilities ...
So again, please believe me that I undestand your fear and I completely
agree with you about high security which must be ensured by PAM. But
instead of rejecting any attempts to make the testing of pam modules
"pleasant" for 3rd party developpers (who often do it in their free
times, maybe as well as you), let us discuss about the possibilities
of how to make it. I can present my "high level" idea, how I would like
to have a module test to be configurable, and that we can discuss the
possibilities how to reach this state. If we decide on something siply
writable and even simpler usable, I would be glad to write it and prove
its usability for testing.
Best regards,
Dan
More information about the Pam-list
mailing list