-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello,
On 05/06/13 10:06, Tollef Fog Heen wrote: > ]] Jerome Benoit > >> the current Priority field in the PAM profile is zero >> in such a way that no PAM module can run before pam-tmpdir, >> even the ones that paly pwj TMPDIR (as libpam-ssh not named >> one): please can you increase the Priorit of libpam-tmpdir >> in such a way it allows to run a PAM module after it; >> I cannot find a policy concerning the Priority, but setting >> it to zero is rather drastic. > > This sounds reasonable, but the PAM policy does not really give any > guidelines as to what it should be set to for non-auth modules. > > Steve, any chance you could provide some guidelines? The only spec-like > document I've seen is https://wiki.ubuntu.com/PAMConfigFrameworkSpec > which is what I've been going by. > I am disagree in the sense that some auth modules may depends on a relevant effective TMPDIR to work properly, so implicitly the PAM policy (as specified in the Ubuntu wiki) furnishes some guidelines. Of course, I have my package in mind, libpam-ssh, which has currently a priority of 64: basically it launches a ssh-agent(1) which bind the agent to a UNIX-domain socket placed by default in $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid> . So, for my own concern, the priority of libpam-tmpdir must be at least 65. Nevertheless, a less egocentric reading of the PAM policy let me guess that the priority may be higher but less than 256 (``local authentication''); for the lower bound, as it makes sense that a ``strong measures'' module needs a relevant effective TMPDIR, I guess that the priority must be strictly greater then 128. On the other hand, libpam-tmdir may implicitly need some prerequirements while postrequirements may be needed as well: rooms must be provided before and after. Therefrom, a priority of 128+(256-128)/2=192 for libpam-tmpdir sounds reasonable wrt the Ubuntu documents cited above. Do you plane to fix this issue soon ? I am asking because I am planing to harden the concerned part of the libpam-ssh package. Thanks. Best wishes, Jerome -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJRzjLLAAoJEIC/w4IMSybjUaAH/0qRETYazriS/IHauy+GbIb+ C9meNZz4u0mVvTv/5XIdbSkDXrMPvcXXK33VmFRpHQuXZZLIY529zf0oCmzRGW9R +Xba01b2fBeimlTRlvkCAZtNT/lqTHJOWjLCPYw5MnWI+nCwgq/GIUNJj+SrJuDq hRHzc9PgeM+1OpAr8SWjFnTlptXOvd4PuixC9Fjl1aT/bCf/P+NzqgMe7cn7NPMi 8gUceyirRtI9JyW2eIL9vo82/c5O8gOWg4TeBvEcl5dvhbVDjvjrMJcbUGkh+HRi QZDP/htAxJict89qygPAf56omjHPqT4x7IkkD1WSd7jJB9Hzr6Ona8XCHDEYypQ= =Jypw -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
