Hi Arthur, On Thu, May 27, 2010 at 09:40:19PM +0200, Arthur de Jong wrote: > Subject: pam_unix' pam_auth_update profile should use "Additional" not > "Primary" for account? > Package: libpam-runtime > Version: 1.1.1-3 > File: /usr/share/pam-configs/unix > Severity: normal
> (this may be more of a question so feel free to close it with an > answer ;) ) > While fixing a bug in libpam-ldapd's pam-auth-update configuration file > I noticed that pam_unix has Account-Type: Primary set. Should this > really be the case? From what I understand of [1] I think it should be > Additional because when doing authorisation all PAM modules should allow > access, not just the first that allows access. libpam-ldap and > libpam-ldapd also use(d) Primary but because libnss-ldap also exposes > shadow information pam_unix always decided before pam_ldap ever got the > chance to look at it. > Should there be any PAM modules that use Primary for account? > [1] https://wiki.ubuntu.com/PAMConfigFrameworkSpec Well, that's an interesting question. I don't have a definitive answer for you about whether these should all be Additional instead of Primary. Currently on my system, I have pam_krb5 as 'Additional', because it imposes other checks in addition to those of pam_unix (pam_krb5 never implies a separate NSS backend); and pam_winbind is 'Primary', which is not what people want in all situations - you may want to impose other group membership requirements with pam_winbind's 'require_membership_of=' option - but I don't see any way that it's harmful (insecure) to do this by default. So I *could* move this to 'Additional' (and add the 'unknown_ok' option), but I don't see any reason that it's required to do so; and OTOH it might provoke network delays in critical paths if we did. So while it's clearly a bug for the *ldap* profiles to be marked Primary for authorization, I think it's fine for pam_unix to be listed as Primary. What do you think? -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slanga...@ubuntu.com vor...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
