From nobody Mon Sep 06 14:01:37 2021
X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 3FB6917BCB87;
	Tue,  7 Sep 2021 11:29:17 +0000 (UTC)
	(envelope-from steffen@sdaoden.eu)
Received: from sdaoden.eu (sdaoden.eu [217.144.132.164])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4H3jhr3k8bz4X5P;
	Tue,  7 Sep 2021 11:29:16 +0000 (UTC)
	(envelope-from steffen@sdaoden.eu)
Received: from kent.sdaoden.eu (kent.sdaoden.eu [10.5.0.2])
	by sdaoden.eu (Postfix) with ESMTPS id 7B9C716056;
	Mon,  6 Sep 2021 16:01:39 +0200 (CEST)
Received: by kent.sdaoden.eu (Postfix, from userid 1000)
	id 8D281F7B; Mon,  6 Sep 2021 16:01:37 +0200 (CEST)
Date: Mon, 06 Sep 2021 16:01:37 +0200
Author: Steffen Nurpmeso <steffen@sdaoden.eu>
From: Steffen Nurpmeso <steffen@sdaoden.eu>
To: freebsd-current@freebsd.org
Cc: Eric McCorkle <eric@metricspace.net>,
 Greg <greg@unrelenting.technology>,
 FreeBSD Hackers <freebsd-hackers@freebsd.org>
Subject: Re: PAM module for loading ZFS keys on login
Message-ID: <20210906140137.iGt2J%steffen@sdaoden.eu>
In-Reply-To: <b265fa82-53f2-59f4-65c2-b07a9412bf83@metricspace.net>
References: <b4d216da-d4b8-12a6-3873-566e5044678c@metricspace.net>
 <67F44CFE-2496-4B13-8583-8A80D9ED3A4A@unrelenting.technology>
 <b265fa82-53f2-59f4-65c2-b07a9412bf83@metricspace.net>
Mail-Followup-To: freebsd-current@freebsd.org,
 Eric McCorkle <eric@metricspace.net>,
 Greg <greg@unrelenting.technology>,
 FreeBSD Hackers <freebsd-hackers@freebsd.org>
User-Agent: s-nail v14.9.22-175-gc118a4a5c7
OpenPGP: id=EE19E1C1F2F7054F8D3954D8308964B51883A0DD;
 url=https://ftp.sdaoden.eu/steffen.asc; preference=signencrypt
BlahBlahBlah: Any stupid boy can crush a beetle. But all the professors in
 the world can make no bugs.
List-Id: Technical discussions relating to FreeBSD <freebsd-hackers.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-hackers
List-Help: <mailto:freebsd-hackers+help@freebsd.org>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Subscribe: <mailto:freebsd-hackers+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-hackers+unsubscribe@freebsd.org>
Sender: owner-freebsd-hackers@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Queue-Id: 4H3jhr3k8bz4X5P
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	dmarc=none;
	spf=pass (mx1.freebsd.org: domain of steffen@sdaoden.eu designates 217.144.132.164 as permitted sender) smtp.mailfrom=steffen@sdaoden.eu
X-Spamd-Result: default: False [-2.30 / 15.00];
	 ARC_NA(0.00)[];
	 NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	 FROM_HAS_DN(0.00)[];
	 RCPT_COUNT_THREE(0.00)[4];
	 R_SPF_ALLOW(-0.20)[+a:c];
	 NEURAL_HAM_LONG(-1.00)[-1.000];
	 MIME_GOOD(-0.10)[text/plain];
	 DMARC_NA(0.00)[sdaoden.eu];
	 TO_DN_SOME(0.00)[];
	 TO_MATCH_ENVRCPT_SOME(0.00)[];
	 NEURAL_HAM_SHORT(-1.00)[-0.999];
	 MID_CONTAINS_FROM(1.00)[];
	 FROM_EQ_ENVFROM(0.00)[];
	 R_DKIM_NA(0.00)[];
	 MIME_TRACE(0.00)[0:+];
	 ASN(0.00)[asn:15987, ipnet:217.144.128.0/20, country:DE];
	 RCVD_COUNT_TWO(0.00)[2];
	 RCVD_TLS_ALL(0.00)[]
X-Spam: Yes
X-ThisMailContainsUnwantedMimeParts: N

Eric McCorkle wrote in
 <b265fa82-53f2-59f4-65c2-b07a9412bf83@metricspace.net>:
 |Interesting, I wasn't aware of the upstream module.  I'd say that's

It's existence was the reason i have readded (now optional, and
a tad different) session support for my pam_xdg PAM module,
because i was thinking that, if such a many-eyes-seen thing of
a software project that claims to be and aims at being enterprise,
ships such a terrible and terribly broken thing, then i can also
offer session tracking.  But my manual at least states

  CAVEATS
       On Unix systems any =E2=80=9Cdaemonized=E2=80=9D program or script i=
s reparented to the
       program running with PID 1, most likely leaving the PAM user session
       without PAM recognizing this.  Yet careless such code may hold or ex=
pect
       availability of resources of the session it just left, truly perform=
ing
       cleanup when sessions end seems thus unwise.  Since so many PAM modu=
les
       do support session tracking and cleanup pam_xdg.so readded optional =
sup=E2=80=90
       port for this.

But the real solution would be PAM session tracking in-kernel,
somehow, wouldn't it?
Also, on FreeBSD and OpenPAM many separate files exist in
/etc/pam.d for things which might open a session, whereas linuxpam
at least has /etc/pam.d/common-session; it has many common- things
in fact, and in /etc/pam.d/sshd i for example see

  #
  # /etc/pam.d/sshd - openssh service module configuration
  #

  auth        include common-auth

  account     include common-account

  password    include common-password

  session     include common-session

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)