Your message dated Fri, 28 Sep 2007 09:02:16 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#440130: fixed in pam 0.99.7.1-5
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: libpam-modules
Version: 0.79-4
Severity: important
Currently, pam_limits includes a Debian-specific patch to support setting
Linux capabilities for services. However, Linux capabilities are of limited
utility in Linux 2.4 kernels and above, because full POSIX capabilities have
been deliberately crippled upstream; the set of permitted capabilities is
not inherited across exec boundaries regardless of the contents of the
'inherited' set, and capabilities are not preserved across uid changes
except when a particular process option is manually set with prctl(), so the
pam_limits capabilities support is only useful on a modern kernel for
processes which:
- run pam_open_session() for each applicant
- handle each applicant in a separate process (since there's no support for
restoring capabilities once they've been dropped)
- don't need to carry any positive capabilities across an exec() boundary
(so either the service runs as root and uses pam_limits to drop
privileges, or runs as non-root and never needs to start another program
with the same privileges)
- has a reason for permitting different capabilities on a per-applicant
basis (otherwise the app is better served by using libcap directly)
The third point rules out any shell-based services for users; the fourth
point really seems to rule out most network-based services, which normally
need a fixed set of capabilities to function correctly and should implement
their own uid/capability handling; the first point rules out a number of
applications such as apache; and the second point rules out a number of
other use cases.
So the principal remaining use case here seems to be to limit the
capabilities of root shells, but pam_limits doesn't give any granularity
finer than per-user, so this only helps if you want to limit the
capabilities of *all* root shells, which again doesn't seem very useful.
Add to that the fact that the pam_limits capability support was broken for
several years without anyone complaining, and that today it *still* doesn't
support the full cap_from_text() semantics for specifying capabilities
(specifying negative capability sets for root is a PITA), and this local
patch doesn't seem very useful to me.
It has never been submitted upstream, and dropping it would allow us to drop
libcap1 from the base system. Therefore it is my intention to drop this
patch from a future upload of pam unless there's a good reason not to.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
[EMAIL PROTECTED] http://www.debian.org/
--- End Message ---
--- Begin Message ---
Source: pam
Source-Version: 0.99.7.1-5
We believe that the bug you reported is fixed in the latest version of
pam, which is due to be installed in the Debian FTP archive:
libpam-cracklib_0.99.7.1-5_amd64.deb
to pool/main/p/pam/libpam-cracklib_0.99.7.1-5_amd64.deb
libpam-cracklib_0.99.7.1-5_i386.deb
to pool/main/p/pam/libpam-cracklib_0.99.7.1-5_i386.deb
libpam-doc_0.99.7.1-5_all.deb
to pool/main/p/pam/libpam-doc_0.99.7.1-5_all.deb
libpam-modules_0.99.7.1-5_amd64.deb
to pool/main/p/pam/libpam-modules_0.99.7.1-5_amd64.deb
libpam-modules_0.99.7.1-5_i386.deb
to pool/main/p/pam/libpam-modules_0.99.7.1-5_i386.deb
libpam-runtime_0.99.7.1-5_all.deb
to pool/main/p/pam/libpam-runtime_0.99.7.1-5_all.deb
libpam0g-dev_0.99.7.1-5_amd64.deb
to pool/main/p/pam/libpam0g-dev_0.99.7.1-5_amd64.deb
libpam0g-dev_0.99.7.1-5_i386.deb
to pool/main/p/pam/libpam0g-dev_0.99.7.1-5_i386.deb
libpam0g_0.99.7.1-5_amd64.deb
to pool/main/p/pam/libpam0g_0.99.7.1-5_amd64.deb
libpam0g_0.99.7.1-5_i386.deb
to pool/main/p/pam/libpam0g_0.99.7.1-5_i386.deb
pam_0.99.7.1-5.diff.gz
to pool/main/p/pam/pam_0.99.7.1-5.diff.gz
pam_0.99.7.1-5.dsc
to pool/main/p/pam/pam_0.99.7.1-5.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steve Langasek <[EMAIL PROTECTED]> (supplier of updated pam package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 28 Sep 2007 00:17:00 -0700
Source: pam
Binary: libpam0g-dev libpam0g libpam-modules libpam-doc libpam-runtime
libpam-cracklib
Architecture: source amd64 all i386
Version: 0.99.7.1-5
Distribution: unstable
Urgency: low
Maintainer: Steve Langasek <[EMAIL PROTECTED]>
Changed-By: Steve Langasek <[EMAIL PROTECTED]>
Description:
libpam-doc - Documentation of PAM
libpam-runtime - Runtime support for the PAM library
libpam-cracklib - PAM module to enable cracklib support
libpam-modules - Pluggable Authentication Modules for PAM
libpam0g - Pluggable Authentication Modules library
libpam0g-dev - Development files for PAM
Closes: 414559 440130 440385 440390 440800 440953 441325 441843 441863 442276
443720 443924 444039
Changes:
pam (0.99.7.1-5) unstable; urgency=low
.
* More lintian overrides, related to debconf prompting in the postinst
* Debconf translations:
- Brazilian Portuguese, thanks to Eder L. Marques <[EMAIL PROTECTED]>
(closes: #440385)
- Russian, thanks to Yuri Kozlov <[EMAIL PROTECTED]>
(closes: #440390, #440953, #444039)
- Bulgarian, thanks to Damyan Ivanov <[EMAIL PROTECTED]>
(closes: #441863)
- Finnish, thanks to Esko Arajärvi <[EMAIL PROTECTED]> (closes: #443720)
- Simplified Chinese, thanks to Ming Hua
<[EMAIL PROTECTED]> (closes: #443924)
- Updated Portuguese, thanks to Américo Monteiro <[EMAIL PROTECTED]>
- Updated Vietnamese, thanks to Clytie Siddall <[EMAIL PROTECTED]>
(closes: #440800)
- Updated German, thanks to Sven Joachim <[EMAIL PROTECTED]>
- Updated Spanish, thanks to Javier Fernández-Sanguino Peña
<[EMAIL PROTECTED]>
- Updated Czech, thanks to Miroslav Kure <[EMAIL PROTECTED]>
(closes: #441325)
* Further cleanups of 007_modules_pam_unix -- don't use a global variable
for pass_min_len, don't gratuitously move the length checking into the
"obscure" checks, and internationalize the error strings.
* Stop overriding the built-in default minimum password length in
/etc/pam.d/common-password, and also drop the "max" option which has now
been obsoleted.
* Fix up the comments in /etc/pam.d/common-password to make it clear that
the options are specific to pam_unix. Closes: #414559.
* Patch 038: fix another thinko in the getline handling. Closes: #442276.
* If there are active X logins, don't restart kdm, wdm, and xdm by default;
instead, display a debconf error if they haven't been restarted.
Closes: #441843.
* Drop the local patch for Linux capabilities in pam_limits; Linux
capabilities are not generally useful in a PAM context, and the PAM
capabilities patch has been broken through much of its life.
Closes: #440130.
* -Wl,-z,defs was never enabled correctly, drop it since upstream is
already using -no-undefined
* Pass --build and --host args to ./configure as necessary, for
cross-building support.
Files:
e8b83cc2adfadc56e5994d0892d76d1f 1091 libs optional pam_0.99.7.1-5.dsc
62002a360a23c5c31da0927e5cb2f313 116562 libs optional pam_0.99.7.1-5.diff.gz
4b5eed09231a7bc50d5ada24fc561440 99156 admin required
libpam-runtime_0.99.7.1-5_all.deb
a166bd09d4ea1967149964d7a80c4ae5 267316 doc optional
libpam-doc_0.99.7.1-5_all.deb
c0d002b7ce47691e55629b89d1171c76 85980 libs required
libpam0g_0.99.7.1-5_amd64.deb
add92762fffcf21b0a592b178d70dcd6 265690 libs required
libpam-modules_0.99.7.1-5_amd64.deb
447910e5e1f972984769169dd4394725 145142 libdevel optional
libpam0g-dev_0.99.7.1-5_amd64.deb
31aed277b439c15fa662482e137cfb0c 50512 libs optional
libpam-cracklib_0.99.7.1-5_amd64.deb
c12c6cd776f8ed7ca0476cc888959e46 83048 libs required
libpam0g_0.99.7.1-5_i386.deb
5ed986e593786413efee83f6583b6922 250246 libs required
libpam-modules_0.99.7.1-5_i386.deb
9752976595f67a2da4d5db734a940989 143106 libdevel optional
libpam0g-dev_0.99.7.1-5_i386.deb
6b6c3fc9b7548f9d0d8e310e400523e8 50528 libs optional
libpam-cracklib_0.99.7.1-5_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG/LTGKN6ufymYLloRAotlAKCYLzqhdCap+6T+/B8hy8kMGQkCzQCgxBDh
MwA/9CngFCxI9UYU9j6+GcI=
=rNdR
-----END PGP SIGNATURE-----
--- End Message ---
