Re: PAM module for loading ZFS keys on login

In reply to: Konstantin Belousov : "Re: PAM module for loading ZFS keys on login"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Steffen Nurpmeso <steffen_at_sdaoden.eu>
Date: Tue, 07 Sep 2021 12:30:10 UTC
Konstantin Belousov wrote in
 <YTdPCPq7QhiKrmXr@kib.kiev.ua>:
 |On Mon, Sep 06, 2021 at 04:01:37PM +0200, Steffen Nurpmeso wrote:
 |> Eric McCorkle wrote in
 |>  <b265fa82-53f2-59f4-65c2-b07a9412bf83@metricspace.net>:
 |>|Interesting, I wasn't aware of the upstream module.  I'd say that's
 |> 
 |> It's existence was the reason i have readded (now optional, and
 |> a tad different) session support for my pam_xdg PAM module,
 |> because i was thinking that, if such a many-eyes-seen thing of
 |> a software project that claims to be and aims at being enterprise,
 |> ships such a terrible and terribly broken thing, then i can also
 |> offer session tracking.  But my manual at least states
 |> 
 |>   CAVEATS
 |>        On Unix systems any “daemonized” program or script is reparented \
 |>        to the
 |>        program running with PID 1, most likely leaving the PAM user \
 |>        session
 |>        without PAM recognizing this.  Yet careless such code may \
 ...

 |If you use reaper facility, that would ensure that all (grand-)children
 |of your session are always reparented to the reaper and not to init.  In
 |other words, you can reliable know when the session ends.  See
 |procctl(2) PROC_REAP_* commands.
 |
 |I believe that reaper-like functionality is available on all current
 |Unix-like systems, even if under different names.

Ah it is really, really cool what becomes possible (everywhere;)!
So (Open)PAM should maybe (configurably) enable this does for all
programs which actually use modules which use session management.

  #?0|kent:free-src.git$ git grep PROC_REAP_ origin/main |
    grep -vE '\.2:|:tests/' |
    sed -E 's/^(.+:.+):.+$/\1/' |
    sort -u
  origin/main:sys/compat/freebsd32/freebsd32_misc.c
  origin/main:sys/kern/kern_procctl.c
  origin/main:sys/sys/procctl.h
  origin/main:usr.bin/timeout/timeout.c

I do not have systemd here, but on Linux situation seems similar:

  #?0|kent:x$ tar -xf /x/balls/shadow/shadow-4.8.1.tar.xz
  #?0|kent:x$ grep -r REAP shadow-4.8.1/
  #?1|kent:x$ tar -xf /x/balls/linux-pam/Linux-PAM-1.5.1.tar.xz
  #?0|kent:x$ grep -r REAP Linux-PAM-1.5.1/
  [yes, pam_unix defines UNIX_REAP, not PR_SET_CHILD_SUBREAPER]
  #?0|kent:x$ tar -xf /x/balls/openssh/openssh-8.7p1.tar.gz
  #?0|kent:x$ grep -r REAP openssh-8.7p1/
  #?1|kent:x$

Maybe this is why systemd flies, i would guess it does, and this
gives you then reliable session management.  I did not really know
that actually, .. consciously.  This is really cool, but still
also that upstream OpenZFS module, and my one, and who knows which
other PAM module also, perform really bad sad and bitter session
counting via counter files, ... but that is a different topic.

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)