On Mon, Aug 25, 2025 at 10:34 AM Lennart Poettering <[email protected]> wrote: > > On Fr, 22.08.25 14:32, Thorsten Kukuk ([email protected]) wrote: > > > Hi, > > > > Would it be possible or has anybody ever tried to implement the PAM > > conversation function (https://manpages.opensuse.org/pam_conv.3) via > > varlink? > > > > To get rid of setuid binaries (here passwd, chsh and chfn) my idea was > > to have a service running the PAM stack, and passwd, chsh and chfn are > > "dumb" command line tools communicating via varlink with the service. > > So that they don't need to be setuid. > > I did that in the past already with sockets and TLS, but I would > > prefer to use a modern framework to avoid doing everything by hand. > > > > My biggest concerns are currently the timeouts and how to do the > > "communication", can you do that in one call to a method? So Call a > > method, that will send a message back, wait for answer, send the next > > message, etc. until it's really finished? > > Varlink is pretty flexible, you can set any timeouts on method calls > you want. > > I am not entirely following the precise communication scheme, but with > varlink you can do call+response stuff, and call+manyresponses > stuff. The latter is useful for enumeration and subscription, and for > "agent registration" scenarios.
The many responses are not the problem as long as this is only the text output. In that case I would do: * client calls "chsh" method with "many responses" * server chsh method start pam stack * pam_conv uses sd_varlink_notify to send output of the pam stack But my problem is that the pam_conv function can not only output text, but also requests input, and the client somehow needs to send that to the right method. So: * lient calls "chsh" method with a new login shell. * server needs to start the PAM stack, so pam_start(), pam_authenticate(), ... pam_end() in the chsh method. * pam_authenticate() calls the pam_conv() callback to get a password. I can use the "many responses" to send back the information that a password is required, but how can the client send the password while the called chsh method is still "running"? My current idea is meanwhile: * client calls chsh method * server chsh method starts a thread doing pam authentication and quits * client calls chsh_pam_conv method asking for status * server chsh_pam_conv method synchronizes with the thread, if input is needed it sends back the data. * client calls chsh_pam_conv method with password * server chsh_pam_conv method synchronizes with the thread and does the next step * do the previous steps in a loop until pam_end() got called. * if everything passes, chsh_pam_conv method changes the shell. Complex and ugly. Or is there a better way? Thanks, Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect, Future Technologies SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nuernberg, Germany Managing Director: Ivo Totev, Andrew McDonald, Werner Knoblich (HRB 36809, AG Nürnberg)
