From nobody Tue Sep 07 12:30:10 2021 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 2112B17AD923; Tue, 7 Sep 2021 12:30:13 +0000 (UTC) (envelope-from steffen@sdaoden.eu) Received: from sdaoden.eu (sdaoden.eu [217.144.132.164]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4H3l386TDbz3Klk; Tue, 7 Sep 2021 12:30:12 +0000 (UTC) (envelope-from steffen@sdaoden.eu) Received: from kent.sdaoden.eu (kent.sdaoden.eu [10.5.0.2]) by sdaoden.eu (Postfix) with ESMTPS id B027716056; Tue, 7 Sep 2021 14:30:11 +0200 (CEST) Received: by kent.sdaoden.eu (Postfix, from userid 1000) id 28864FB1; Tue, 7 Sep 2021 14:30:10 +0200 (CEST) Date: Tue, 07 Sep 2021 14:30:10 +0200 Author: Steffen Nurpmeso From: Steffen Nurpmeso To: Konstantin Belousov Cc: freebsd-current@freebsd.org, FreeBSD Hackers Subject: Re: PAM module for loading ZFS keys on login Message-ID: <20210907123010.iuiKD%steffen@sdaoden.eu> In-Reply-To: References: <67F44CFE-2496-4B13-8583-8A80D9ED3A4A@unrelenting.technology> <20210906140137.iGt2J%steffen@sdaoden.eu> Mail-Followup-To: Konstantin Belousov , freebsd-current@freebsd.org, FreeBSD Hackers User-Agent: s-nail v14.9.22-175-gc118a4a5c7 OpenPGP: id=EE19E1C1F2F7054F8D3954D8308964B51883A0DD; url=https://ftp.sdaoden.eu/steffen.asc; preference=signencrypt BlahBlahBlah: Any stupid boy can crush a beetle. But all the professors in the world can make no bugs. List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4H3l386TDbz3Klk X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-Spam: Yes X-ThisMailContainsUnwantedMimeParts: N Konstantin Belousov wrote in : |On Mon, Sep 06, 2021 at 04:01:37PM +0200, Steffen Nurpmeso wrote: |> Eric McCorkle wrote in |> : |>|Interesting, I wasn't aware of the upstream module. I'd say that's |>=20 |> It's existence was the reason i have readded (now optional, and |> a tad different) session support for my pam_xdg PAM module, |> because i was thinking that, if such a many-eyes-seen thing of |> a software project that claims to be and aims at being enterprise, |> ships such a terrible and terribly broken thing, then i can also |> offer session tracking. But my manual at least states |>=20 |> CAVEATS |> On Unix systems any =E2=80=9Cdaemonized=E2=80=9D program or scri= pt is reparented \ |> to the |> program running with PID 1, most likely leaving the PAM user \ |> session |> without PAM recognizing this. Yet careless such code may \ ... |If you use reaper facility, that would ensure that all (grand-)children |of your session are always reparented to the reaper and not to init. In |other words, you can reliable know when the session ends. See |procctl(2) PROC_REAP_* commands. | |I believe that reaper-like functionality is available on all current |Unix-like systems, even if under different names. Ah it is really, really cool what becomes possible (everywhere;)! So (Open)PAM should maybe (configurably) enable this does for all programs which actually use modules which use session management. #?0|kent:free-src.git$ git grep PROC_REAP_ origin/main | grep -vE '\.2:|:tests/' | sed -E 's/^(.+:.+):.+$/\1/' | sort -u origin/main:sys/compat/freebsd32/freebsd32_misc.c origin/main:sys/kern/kern_procctl.c origin/main:sys/sys/procctl.h origin/main:usr.bin/timeout/timeout.c I do not have systemd here, but on Linux situation seems similar: #?0|kent:x$ tar -xf /x/balls/shadow/shadow-4.8.1.tar.xz #?0|kent:x$ grep -r REAP shadow-4.8.1/ #?1|kent:x$ tar -xf /x/balls/linux-pam/Linux-PAM-1.5.1.tar.xz #?0|kent:x$ grep -r REAP Linux-PAM-1.5.1/ [yes, pam_unix defines UNIX_REAP, not PR_SET_CHILD_SUBREAPER] #?0|kent:x$ tar -xf /x/balls/openssh/openssh-8.7p1.tar.gz #?0|kent:x$ grep -r REAP openssh-8.7p1/ #?1|kent:x$ Maybe this is why systemd flies, i would guess it does, and this gives you then reliable session management. I did not really know that actually, .. consciously. This is really cool, but still also that upstream OpenZFS module, and my one, and who knows which other PAM module also, perform really bad sad and bitter session counting via counter files, ... but that is a different topic. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)