Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 10 Jun 2007 22:58:52 +0400
From:      Yar Tikhiy <yar@comp.chem.msu.su>
To:        david@wood2.org.uk, dinoex@FreeBSD.org, garga@FreeBSD.org, gnome@FreeBSD.org, kuriyama@FreeBSD.org, nakaji@jp.FreeBSD.org, olgeni@FreeBSD.org, oliver@FreeBSD.org, pirzyk@FreeBSD.org, ports@FreeBSD.org, robin@isometry.net, sergei@FreeBSD.org, thomas@bsdunix.ch, timur@gnu.org, xride@FreeBSD.org
Subject:   HEADS UP: a change to PAM affecting some ports
Message-ID:  <20070610185852.GA96312@bsd.chem.msu.ru>

next in thread | raw e-mail | index | archive | help
Hi there,

As per discussion with re@ and the PAM maintainer, I'm about to
commit a change to CURRENT's pam_nologin(8) that needs consequent
changes to pam.conf(5) files.  Namely, the module's PAM function
class will change from "auth" to "account".

How ports are concerned:

First of all, a few ports install functional or sample pam.d files
refering to pam_nologin.so.  In order to be compatible with old and
new pam_nologin.so and not care about the system version, such ports
can list the module in their pam.conf(5) files under both function
classes:

	# auth
	auth		required	pam_nologin.so	no_warn
	# account
	account		required	pam_nologin.so

Some attention may be needed to ports that describe in their
documentation or install messages how to set up PAM for them.  Such
ports can suggest the backward-compatible setup, too.  Another
option is to tell that in FreeBSD 7.0 and later pam_nologin should
be listed under "account".

Finally, there are ports for sysadmin consoles and GUIs that can
configure pam.d files.  Such ports may need upstream changes in
case they can handle FreeBSD pam.d at all.

The most prudent ports can use __FreeBSD_version / OSVERSION of
700045 to detect the change point.

After some grep'ing of the ports tree and packages-current, I got
the following list of ports grouped by the way of their using, or
refering to, pam_nologin.so.  This heads-up message is addressed
to the maintainers of those ports.  Please locate ports you maintain
and make appropriate changes if needed.  Feel free to contact me
for tech details if in doubt.  Thank you, and excuse me for loading
you with the work!

Here's the list, with some notes in parentheses:

>>> installs a functional file in pam.d:

net/radiusd-cistron (BUG: seems to use wrong location of ${prefix}/pam.d in the package archive)
x11/wdm

>>> installs a sample pam.d file in examples:

ftp/pure-ftpd
mail/anubis
security/cyrus-sasl (maintained by ports@)

>>> mentions pam_nologin.so usage in documentation:

japanese/samba
japanese/samba3
mail/dovecot
mail/perdition (installs a Linux-specifix pam.conf example in share/doc)
net/freeradius
net/freeradius-mysql
net/samba3
security/courier-authlib-base
security/pam_smb (maintained by ports@)

>>> suggests pam.conf(5) lines in install messages:

x11/xscreensaver-gnome

>>> operates on pam.d files:

sysutils/psgconf
sysutils/webmin (seems to handle Linux PAM only)

>>> END

-- 
Yar



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070610185852.GA96312>