From nobody Tue Sep 07 11:37:44 2021
X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 6211517C1B4E;
	Tue,  7 Sep 2021 11:37:59 +0000 (UTC)
	(envelope-from kostikbel@gmail.com)
Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4H3jtt0Fv6z4cyC;
	Tue,  7 Sep 2021 11:37:57 +0000 (UTC)
	(envelope-from kostikbel@gmail.com)
Received: from tom.home (kib@localhost [127.0.0.1])
	by kib.kiev.ua (8.16.1/8.16.1) with ESMTPS id 187Bbinv033457
	(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO);
	Tue, 7 Sep 2021 14:37:47 +0300 (EEST)
	(envelope-from kostikbel@gmail.com)
DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua 187Bbinv033457
Received: (from kostik@localhost)
	by tom.home (8.16.1/8.16.1/Submit) id 187Bbiin033455;
	Tue, 7 Sep 2021 14:37:44 +0300 (EEST)
	(envelope-from kostikbel@gmail.com)
X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f
Date: Tue, 7 Sep 2021 14:37:44 +0300
From: Konstantin Belousov <kostikbel@gmail.com>
To: freebsd-current@freebsd.org, FreeBSD Hackers <freebsd-hackers@freebsd.org>
Subject: Re: PAM module for loading ZFS keys on login
Message-ID: <YTdPCPq7QhiKrmXr@kib.kiev.ua>
References: <b4d216da-d4b8-12a6-3873-566e5044678c@metricspace.net>
 <67F44CFE-2496-4B13-8583-8A80D9ED3A4A@unrelenting.technology>
 <b265fa82-53f2-59f4-65c2-b07a9412bf83@metricspace.net>
 <20210906140137.iGt2J%steffen@sdaoden.eu>
List-Id: Technical discussions relating to FreeBSD <freebsd-hackers.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-hackers
List-Help: <mailto:freebsd-hackers+help@freebsd.org>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Subscribe: <mailto:freebsd-hackers+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-hackers+unsubscribe@freebsd.org>
Sender: owner-freebsd-hackers@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20210906140137.iGt2J%steffen@sdaoden.eu>
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,BAYES_00,
	DKIM_ADSP_CUSTOM_MED,FORGED_GMAIL_RCVD,FREEMAIL_FROM,
	NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.5
X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) on tom.home
X-Rspamd-Queue-Id: 4H3jtt0Fv6z4cyC
X-Spamd-Bar: -
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	dmarc=fail reason="No valid SPF, No valid DKIM" header.from=gmail.com (policy=none);
	spf=softfail (mx1.freebsd.org: 2001:470:d5e7:1::1 is neither permitted nor denied by domain of kostikbel@gmail.com) smtp.mailfrom=kostikbel@gmail.com
X-Spamd-Result: default: False [-1.40 / 15.00];
	 RCVD_TLS_ALL(0.00)[];
	 ARC_NA(0.00)[];
	 NEURAL_HAM_MEDIUM(-0.99)[-0.994];
	 FROM_HAS_DN(0.00)[];
	 TO_DN_SOME(0.00)[];
	 FREEMAIL_FROM(0.00)[gmail.com];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 MIME_GOOD(-0.10)[text/plain];
	 HAS_XAW(0.00)[];
	 NEURAL_HAM_LONG(-1.00)[-1.000];
	 R_SPF_SOFTFAIL(0.00)[~all];
	 NEURAL_SPAM_SHORT(0.59)[0.590];
	 RCPT_COUNT_TWO(0.00)[2];
	 FROM_EQ_ENVFROM(0.00)[];
	 R_DKIM_NA(0.00)[];
	 MIME_TRACE(0.00)[0:+];
	 ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US];
	 RCVD_COUNT_TWO(0.00)[2];
	 FREEMAIL_ENVFROM(0.00)[gmail.com];
	 DMARC_POLICY_SOFTFAIL(0.10)[gmail.com : No valid SPF, No valid DKIM,none]
X-ThisMailContainsUnwantedMimeParts: N

On Mon, Sep 06, 2021 at 04:01:37PM +0200, Steffen Nurpmeso wrote:
> Eric McCorkle wrote in
>  <b265fa82-53f2-59f4-65c2-b07a9412bf83@metricspace.net>:
>  |Interesting, I wasn't aware of the upstream module.  I'd say that's
> 
> It's existence was the reason i have readded (now optional, and
> a tad different) session support for my pam_xdg PAM module,
> because i was thinking that, if such a many-eyes-seen thing of
> a software project that claims to be and aims at being enterprise,
> ships such a terrible and terribly broken thing, then i can also
> offer session tracking.  But my manual at least states
> 
>   CAVEATS
>        On Unix systems any “daemonized” program or script is reparented to the
>        program running with PID 1, most likely leaving the PAM user session
>        without PAM recognizing this.  Yet careless such code may hold or expect
>        availability of resources of the session it just left, truly performing
>        cleanup when sessions end seems thus unwise.  Since so many PAM modules
>        do support session tracking and cleanup pam_xdg.so readded optional sup‐
>        port for this.
If you use reaper facility, that would ensure that all (grand-)children
of your session are always reparented to the reaper and not to init.  In
other words, you can reliable know when the session ends.  See
procctl(2) PROC_REAP_* commands.

I believe that reaper-like functionality is available on all current
Unix-like systems, even if under different names.

> 
> But the real solution would be PAM session tracking in-kernel,
> somehow, wouldn't it?
> Also, on FreeBSD and OpenPAM many separate files exist in
> /etc/pam.d for things which might open a session, whereas linuxpam
> at least has /etc/pam.d/common-session; it has many common- things
> in fact, and in /etc/pam.d/sshd i for example see
> 
>   #
>   # /etc/pam.d/sshd - openssh service module configuration
>   #
> 
>   auth        include common-auth
> 
>   account     include common-account
> 
>   password    include common-password
> 
>   session     include common-session
> 
> --steffen
> |
> |Der Kragenbaer,                The moon bear,
> |der holt sich munter           he cheerfully and one by one
> |einen nach dem anderen runter  wa.ks himself off
> |(By Robert Gernhardt)
>