dslm4515
Replacing Linux-PAM with OpenPAM
By the way, talking about "alternatives", what about linking Shadow to OpenPAM (in BMLFS, in the case) instead of Linux-PAM? I didn't found many information about why most distributions link to Linux-PAM instead of OpenPAM (is it just a question of compatibility?), and it would be interesting to have OpenPAM as an alternative. I've tested it at Copacabana Linux, it compiles just fine in musl.
Originally posted by @takusuman in https://github.com/dslm4515/CMLFS/issues/77#issuecomment-1382643547
Tracking changes here to be done when using OpenPAM instead of Linux-PAM
OpenPAM does not provide pam_warn.so ... which is referenced in /etc/pam.d/other ... for now remove pam_warn from /etc/pam.d/other
sudo can be compiled with pam support by OpenPAM, but OpenPAM lacks pam_env.so .
pam_env is planned for depreciation in Linux-PAM. Per release notes of Linux-PAM 1.5.0:
pam_env: Reading of the user environment is deprecated and will be removed
at some point in the future.
Yet according to a bug ticket for Free-BSD:
Some distributions of Linux have configured and activated pam_env[0] from the LinuxPAM project. The OpenPAM project lacks this module but it's easy enough to write. It sets environment variables for an authenticated session from a file named /etc/environment by default.
A similar module for OpenPAM works just fine for ssh and several other cases, but not for cron. ..
Is pam_env.so written as separate module for OpenPAM, or is another module used?
Also sudo needs the setuid bit. Login as root, execute:
chown root:root /usr/bin/sudo && chmod 4755 /usr/bin/sudo
Void Linux doesn't use the pam_env.so for sudo's pam configuration
auth include system-auth
account include system-auth
session include system-auth
sudo doesn't seem to work with openPAM?
$ sudo ls /root
sudo: unable to initialize PAM: Operation not permitted
Also, openPAM is missing modules. Only 3 are built:
pam_deny.so
pam_permit.so
pam_return.so
pam_unix.so
There are no pam_rootok.so or pam_nologin.so
For reference, I am using the source at https://sourceforge.net/projects/openpam/files/openpam/Tabebuia/openpam-20190224.tar.gz
But if I look at a Free-BSD repo, last commit was 5 months ago (compared to openPAM version I used that was released in 2019) and a lot more PAM modules:
pam_root
pam_deny
pam_echo
pam_exec
< and more >
Perhaps, there is a missing module for sudo. Per this discussion:
With PAM, a normal user could use his own password for authentication without being setuid-root. That's a default behavior on Linux-PAM.
For NetBSD and FreeBSD, an additional PAM module is required.
NetBSD: The PAM module is in pkgsrc: security/pam-pwauth_suid
FreeBSD: Visit this page: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253073 Download the attachment and extrct it to /usr/ports/security.
But if I look at a Free-BSD repo, last commit was 5 months ago (compared to openPAM version I used that was released in 2019) and a lot more PAM modules:
pam_root pam_deny pam_echo pam_exec < and more >
So BSD folks are letting us Linux folks behind once again?
Perhaps, there is a missing module for sudo. Per this discussion:
With PAM, a normal user could use his own password for authentication without being setuid-root. That's a default behavior on Linux-PAM.
For NetBSD and FreeBSD, an additional PAM module is required.
FreeBSD: Visit this page: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253073 Download the attachment and extrct it to /usr/ports/security.
So maybe we could just take these from FreeBSD (or even NetBSD) and apply as patches? I think the only problem would be portability, since these are made to run on *BSD and not on Linux, but we can fix this.
But if I look at a Free-BSD repo, last commit was 5 months ago (compared to openPAM version I used that was released in 2019) and a lot more PAM modules:
pam_root pam_deny pam_echo pam_exec < and more >
Also found the same on NetBSD's: http://ftp.jp.freebsd.org/pub/NetBSD/NetBSD-release-9/src/lib/libpam/modules/pam_unix/
I'm a little busy recently, but if you need any help with building these, just get in touch with me.
By my experience in Heirloom NG, I think I can help with porting the code for Linux.
If I'm not mistaken, it theoretically should be easy, since, according to this page (which talks about Linux -> NetBSD source compatibility), the code made for running on Linux will take little to no changes for running on NetBSD, so I'll take my bet that this also implies that NetBSD source code shall run on Linux with little modification --- at most, with some #include directives being interjected with #if defined()'s.
cc.: @dslm4515
By the way, could we build OpenPAM before Shadow in the "vanilla" Musl-LFS? So we can link Shadow utilities with OpenPAM without having to rebuild it. At least, Adélie is built in this way.
Found a abandoned (written in 2008, last updated in 2014) project which wrote some Linux-specific modules for OpenPAM: https://github.com/fim/openpam-modules