Hi folks, With the upload of pam 1.0.1-11 to unstable, we've fixed a long-standing bug in the /etc/pam.d/common-* abstractions: namely, that there was no way to set separate system-wide policies for interactive vs. non-interactive sessions (bug #169930).
The PAM MiniPolicy (/usr/share/doc/libpam0g/Debian-PAM-MiniPolicy.gz) explains this new functionality as follows: The selection of common-session or common-session-noninteractive is based on whether the service provides "shell-like" interactive capabilities to the user (e.g.: login, ssh, gdm) or is a non-interactive session or a session mediated by a structured protocol (e.g.: cron, cups, samba, ppp). This allows a service to avoid calling some modules, such as pam_ck_connector, that only make sense in an interactive context and should be avoided otherwise. It is expected that the modules used for noninteractive sessions will always be a subset of those used for interactive sessions. [...] Applications that use common-session-noninteractive must depend on libpam-runtime (>= 1.0.1-11) for this file. So if you maintain a package that provides a PAM-using service and implements non-interactive sessions, there's a transition ahead. Please consider changing your /etc/pam.d/ config file to include common-session-noninteractive instead of common-session, and add a versioned dependency on libpam-runtime (>= 1.0.1-11), at your convenience. If you have doubts about whether your package should use common-session vs. common-session-noninteractive, feel free to contact the PAM maintainers (mailing list cc:ed), or you can just wait for someone to file a bug on your package. On the module side, we of course need a way for a profile to specify whether its session module should be used for interactive sessions only, or for all sessions. https://wiki.ubuntu.com/PAMConfigFrameworkSpec[1] has been updated to document a new profile field for this: A profile which declares it implements the session module type may also use the field Session-Interactive-Only: yes to indicate it should only be used in sessions for interactive services (e.g.: login, ssh, gdm). Of the top of my head, the only module package I know which already implements pam-auth-update support and will need to change for this is libpam-ck-connector, which I'll file a bug for shortly. No change is needed to the dependencies of module packages for this new feature - it will be ignored by old versions of pam-auth-update, and automatically recognized by new versions on upgrade. Cheers, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slanga...@ubuntu.com vor...@debian.org [1] which is way overdue for merging into the PAM MiniPolicy...
signature.asc
Description: Digital signature
