On Tue, 8 Jun 2021 at 12:27, Stephen Gallagher <sgall...@redhat.com> wrote:
> On Tue, Jun 8, 2021 at 10:51 AM Tom Hughes <t...@compton.nu> wrote: > > > > On 08/06/2021 14:51, Stephen Gallagher wrote: > > > > > I was thinking about suggesting a similar PAM module to convert > > > existing hashes, but I suspect that we'd be coming up against some > > > issues with security policy and separation of actions. Right now, I > > > expect that SELinux permits PAM processes to have read-only access to > > > /etc/shadow, but such a change would necessitate read/write access, > > > which is riskier. It's also why PAM has separate activities for > > > authentication, authorization and password-change. > > > > Surely it has to allow write as well because any authentication can > > already prompt for a password change if the password is expired? > > > > It's been a while, but I *think* I remember that PAM sends back an > "expired password" message and the client application (eg. `login`) > then calls the pam_chpass() stack. > ___ > I believe it is something like that. mainly because there are many systems where a password change is a major auditable event and you only want those generated from specific systems and then pushed out. [Yes this doesn't fit well with the world of today, but the PAM stack was written for the security policies and actions of the late 1980's/early 1990's... ] -- Stephen J Smoogen. I've seen things you people wouldn't believe. Flame wars in sci.astro.orion. I have seen SPAM filters overload because of Godwin's Law. All those moments will be lost in time... like posts on BBS... time to reboot.
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure