Re: PAM module for loading ZFS keys on login

Reply: Steffen Nurpmeso : "Re: PAM module for loading ZFS keys on login"
In reply to: Steffen Nurpmeso : "Re: PAM module for loading ZFS keys on login"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Konstantin Belousov <kostikbel_at_gmail.com>
Date: Tue, 07 Sep 2021 11:37:44 UTC

On Mon, Sep 06, 2021 at 04:01:37PM +0200, Steffen Nurpmeso wrote:
> Eric McCorkle wrote in
>  <b265fa82-53f2-59f4-65c2-b07a9412bf83@metricspace.net>:
>  |Interesting, I wasn't aware of the upstream module.  I'd say that's
> 
> It's existence was the reason i have readded (now optional, and
> a tad different) session support for my pam_xdg PAM module,
> because i was thinking that, if such a many-eyes-seen thing of
> a software project that claims to be and aims at being enterprise,
> ships such a terrible and terribly broken thing, then i can also
> offer session tracking.  But my manual at least states
> 
>   CAVEATS
>        On Unix systems any “daemonized” program or script is reparented to the
>        program running with PID 1, most likely leaving the PAM user session
>        without PAM recognizing this.  Yet careless such code may hold or expect
>        availability of resources of the session it just left, truly performing
>        cleanup when sessions end seems thus unwise.  Since so many PAM modules
>        do support session tracking and cleanup pam_xdg.so readded optional sup‐
>        port for this.
If you use reaper facility, that would ensure that all (grand-)children
of your session are always reparented to the reaper and not to init.  In
other words, you can reliable know when the session ends.  See
procctl(2) PROC_REAP_* commands.

I believe that reaper-like functionality is available on all current
Unix-like systems, even if under different names.

> 
> But the real solution would be PAM session tracking in-kernel,
> somehow, wouldn't it?
> Also, on FreeBSD and OpenPAM many separate files exist in
> /etc/pam.d for things which might open a session, whereas linuxpam
> at least has /etc/pam.d/common-session; it has many common- things
> in fact, and in /etc/pam.d/sshd i for example see
> 
>   #
>   # /etc/pam.d/sshd - openssh service module configuration
>   #
> 
>   auth        include common-auth
> 
>   account     include common-account
> 
>   password    include common-password
> 
>   session     include common-session
> 
> --steffen
> |
> |Der Kragenbaer,                The moon bear,
> |der holt sich munter           he cheerfully and one by one
> |einen nach dem anderen runter  wa.ks himself off
> |(By Robert Gernhardt)
>