Bug#711100: libpam-tmpdir: increase Priority field in package-supplied authentication profiles
]] Jerome BENOIT Nevertheless, a less egocentric reading of the PAM policy let me guess that the priority may be higher but less than 256 (``local authentication''); for the lower bound, as it makes sense that a ``strong measures'' module needs a relevant effective TMPDIR, I guess that the priority must be strictly greater then 128. On the other hand, libpam-tmdir may implicitly need some prerequirements while postrequirements may be needed as well: rooms must be provided before and after. Therefrom, a priority of 128+(256-128)/2=192 for libpam-tmpdir sounds reasonable wrt the Ubuntu documents cited above. I agree that the priority should probably be higher, but I don't think your reasoning holds, since it's not an authentication module, it's a session module, so any priority change won't really help you, if you do your work in the auth phase (which I think you are?). Do you plane to fix this issue soon ? I wasn't planning on changing it until we have some reasonable specs to go by, so we don't have uncoordinated priorities being set. -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#711100: libpam-tmpdir: increase Priority field in package-supplied authentication profiles
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 29/06/13 09:44, Tollef Fog Heen wrote: ]] Jerome BENOIT Nevertheless, a less egocentric reading of the PAM policy let me guess that the priority may be higher but less than 256 (``local authentication''); for the lower bound, as it makes sense that a ``strong measures'' module needs a relevant effective TMPDIR, I guess that the priority must be strictly greater then 128. On the other hand, libpam-tmdir may implicitly need some prerequirements while postrequirements may be needed as well: rooms must be provided before and after. Therefrom, a priority of 128+(256-128)/2=192 for libpam-tmpdir sounds reasonable wrt the Ubuntu documents cited above. I agree that the priority should probably be higher, but I don't think your reasoning holds, since it's not an authentication module, it's a session module, so any priority change won't really help you, if you do your work in the auth phase (which I think you are?). Let me to be egocentric again. pam_ssh(8) has both `auth' and `session' features: the SSH agent is initiated during the `session' part. In my current working `/etc/pam.d/login', I read: [...] @include common-session session optional pam_ssh.so [...] And the last pam-config file libpam-ssh is: - --8--- Name: Authenticate using SSH keys and start ssh-agent Default: yes Priority: 64 Auth-Type: Additional Auth: optional pam_ssh.so use_first_pass Session-Interactive-Only: yes Session-Type: Additional Session-Final: optional pam_ssh.so - 8- So, it is certainly the Session-Final that may be split: a pre-pam-tmpdir part and a post-pam-tmpdir one. Do you plane to fix this issue soon ? I wasn't planning on changing it until we have some reasonable specs to go by, so we don't have uncoordinated priorities being set. This sounds reasonable: to which door may we knock in view to clarify the point ? Best wishes, Jerome -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJRzqTmAAoJEIC/w4IMSybj+PUIAIGRzCq5eRktlxRT6jDHAOMf 1KhG2ZjrgIVXgiVR5vGihU+J1Lb8HVoYQIov1Wox4aN+Z5n5GzfRadiubQKohWIA LhSPwkaFQgBVvSa6kLxPp1quZndWUcUJIqB+h+IpnuIwNxGULMQmjlyJWI9S0GfJ oDeb+zxi6KbYxrXXgD4s2w81AJ9zhn/hSkGqNFe2ts9CvuvKA14ehF/D3bABnFWo iLGFx8sFZeSWkhPsSdp2PbbSL/UXcyjCfVtf7/zcsEPF8/vVDDEHu2qj7h+L/MCG 2fccYvmGCJaUcJMZ4XjYZGU8fmBZS8w5NNnNrSkhjJDkGRBBSgThpT7edmrcyw0= =4A6j -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#711100: libpam-tmpdir: increase Priority field in package-supplied authentication profiles
]] Jerome BENOIT On 29/06/13 09:44, Tollef Fog Heen wrote: ]] Jerome BENOIT Nevertheless, a less egocentric reading of the PAM policy let me guess that the priority may be higher but less than 256 (``local authentication''); for the lower bound, as it makes sense that a ``strong measures'' module needs a relevant effective TMPDIR, I guess that the priority must be strictly greater then 128. On the other hand, libpam-tmdir may implicitly need some prerequirements while postrequirements may be needed as well: rooms must be provided before and after. Therefrom, a priority of 128+(256-128)/2=192 for libpam-tmpdir sounds reasonable wrt the Ubuntu documents cited above. I agree that the priority should probably be higher, but I don't think your reasoning holds, since it's not an authentication module, it's a session module, so any priority change won't really help you, if you do your work in the auth phase (which I think you are?). Let me to be egocentric again. pam_ssh(8) has both `auth' and `session' features: the SSH agent is initiated during the `session' part. Ok, then it ought to work. [...] Do you plane to fix this issue soon ? I wasn't planning on changing it until we have some reasonable specs to go by, so we don't have uncoordinated priorities being set. This sounds reasonable: to which door may we knock in view to clarify the point ? I've asked Steve Langasek (who wrote the original spec) to comment, both in my original reply to you and on my last and this followup. Cheers, -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#711100: libpam-tmpdir: increase Priority field in package-supplied authentication profiles
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, On 05/06/13 10:06, Tollef Fog Heen wrote: ]] Jerome Benoit the current Priority field in the PAM profile is zero in such a way that no PAM module can run before pam-tmpdir, even the ones that paly pwj TMPDIR (as libpam-ssh not named one): please can you increase the Priorit of libpam-tmpdir in such a way it allows to run a PAM module after it; I cannot find a policy concerning the Priority, but setting it to zero is rather drastic. This sounds reasonable, but the PAM policy does not really give any guidelines as to what it should be set to for non-auth modules. Steve, any chance you could provide some guidelines? The only spec-like document I've seen is https://wiki.ubuntu.com/PAMConfigFrameworkSpec which is what I've been going by. I am disagree in the sense that some auth modules may depends on a relevant effective TMPDIR to work properly, so implicitly the PAM policy (as specified in the Ubuntu wiki) furnishes some guidelines. Of course, I have my package in mind, libpam-ssh, which has currently a priority of 64: basically it launches a ssh-agent(1) which bind the agent to a UNIX-domain socket placed by default in $TMPDIR/ssh-XX/agent.ppid . So, for my own concern, the priority of libpam-tmpdir must be at least 65. Nevertheless, a less egocentric reading of the PAM policy let me guess that the priority may be higher but less than 256 (``local authentication''); for the lower bound, as it makes sense that a ``strong measures'' module needs a relevant effective TMPDIR, I guess that the priority must be strictly greater then 128. On the other hand, libpam-tmdir may implicitly need some prerequirements while postrequirements may be needed as well: rooms must be provided before and after. Therefrom, a priority of 128+(256-128)/2=192 for libpam-tmpdir sounds reasonable wrt the Ubuntu documents cited above. Do you plane to fix this issue soon ? I am asking because I am planing to harden the concerned part of the libpam-ssh package. Thanks. Best wishes, Jerome -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJRzjLLAAoJEIC/w4IMSybjUaAH/0qRETYazriS/IHauy+GbIb+ C9meNZz4u0mVvTv/5XIdbSkDXrMPvcXXK33VmFRpHQuXZZLIY529zf0oCmzRGW9R +Xba01b2fBeimlTRlvkCAZtNT/lqTHJOWjLCPYw5MnWI+nCwgq/GIUNJj+SrJuDq hRHzc9PgeM+1OpAr8SWjFnTlptXOvd4PuixC9Fjl1aT/bCf/P+NzqgMe7cn7NPMi 8gUceyirRtI9JyW2eIL9vo82/c5O8gOWg4TeBvEcl5dvhbVDjvjrMJcbUGkh+HRi QZDP/htAxJict89qygPAf56omjHPqT4x7IkkD1WSd7jJB9Hzr6Ona8XCHDEYypQ= =Jypw -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#711100: libpam-tmpdir: increase Priority field in package-supplied authentication profiles
]] Jerome Benoit the current Priority field in the PAM profile is zero in such a way that no PAM module can run before pam-tmpdir, even the ones that paly pwj TMPDIR (as libpam-ssh not named one): please can you increase the Priorit of libpam-tmpdir in such a way it allows to run a PAM module after it; I cannot find a policy concerning the Priority, but setting it to zero is rather drastic. This sounds reasonable, but the PAM policy does not really give any guidelines as to what it should be set to for non-auth modules. Steve, any chance you could provide some guidelines? The only spec-like document I've seen is https://wiki.ubuntu.com/PAMConfigFrameworkSpec which is what I've been going by. -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#711100: libpam-tmpdir: increase Priority field in package-supplied authentication profiles
Package: libpam-tmpdir Version: 0.09 Severity: wishlist Dear Maintainer, the current Priority field in the PAM profile is zero in such a way that no PAM module can run before pam-tmpdir, even the ones that paly pwj TMPDIR (as libpam-ssh not named one): please can you increase the Priorit of libpam-tmpdir in such a way it allows to run a PAM module after it; I cannot find a policy concerning the Priority, but setting it to zero is rather drastic. Best wishes, Jerome -- System Information: Debian Release: Wheezy* APT prefers stable APT policy: (990, 'stable'), (500, 'stable-updates') Architecture: amd64 (x86_64) Kernel: Linux 3.2.41-amd64-mbp62 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libpam-tmpdir depends on: ii libc6 2.13-38 ii libpam-runtime 1.1.3-7.1 ii libpam0g 1.1.3-7.1 ii multiarch-support 2.13-38 libpam-tmpdir recommends no packages. libpam-tmpdir suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
