On Fr, 22.08.25 14:32, Thorsten Kukuk ([email protected]) wrote: > Hi, > > Would it be possible or has anybody ever tried to implement the PAM > conversation function (https://manpages.opensuse.org/pam_conv.3) via > varlink? > > To get rid of setuid binaries (here passwd, chsh and chfn) my idea was > to have a service running the PAM stack, and passwd, chsh and chfn are > "dumb" command line tools communicating via varlink with the service. > So that they don't need to be setuid. > I did that in the past already with sockets and TLS, but I would > prefer to use a modern framework to avoid doing everything by hand. > > My biggest concerns are currently the timeouts and how to do the > "communication", can you do that in one call to a method? So Call a > method, that will send a message back, wait for answer, send the next > message, etc. until it's really finished?
Varlink is pretty flexible, you can set any timeouts on method calls you want. I am not entirely following the precise communication scheme, but with varlink you can do call+response stuff, and call+manyresponses stuff. The latter is useful for enumeration and subscription, and for "agent registration" scenarios. Knowing pam_conv a bit I don't think it should be much of a problem mapping that 1:1 to varlink requests. Lennart -- Lennart Poettering, Berlin
