On 07/02/2012 01:47 AM, Armin K. wrote: > It is not my fault that sudo is broken when it comes to pam. Everything > else works but it and I don't want to sacrifice everything else for some > stuff I don't care about. Just don't use system-session in sudo in the > first place like I do. Well, that is the problem, sudo isn't broken, it is just doing what it was told to do. I'm going to disagree with you about sudo including session defaults (see below), but I'm going to follow your example nonetheless. I don't particularly like it as it was not what I had intended when I wrote those files, but it looks like you and Ubuntu do agree on it. They have added a common-session-noninteractive to handle this particular use case since I last visited their configuration (for which I based a good portion of BLFS's PAM configuration, though minimalist). While I dislike it, seeing as I did base it from theirs, I'm going to continue to follow their lead and do similar. ck_connector and loginuid will require no changes in your instructions this way, and the new can be used for cron and samba later on (as in Ubuntu, so this might even be expected by some users).
As far as your sudo configuration, for what reason do you not follow the book? Only the above, or do you go well beyond the minimal defaults? If so, do you have any other suggestions? I wasn't aware that any other editors actually used it. While I'm browsing through it, I see a few other wrinkles, for instance, session limits should probably be added to system-session as well--while no limits are configured by default, it is probably surprising to an end user if they make changes and they don't see them immediately. I'm going to pick through it a little more as our defaults are getting a little long in the tooth (about 2 years old now). I'd like to keep pam_unix as a session module in system-session for logging though. In the case of sudo, it is an easy way to catch abuse cases of 'sudo su' or 'sudo bash' or similar. Do you have any other suggestions for the default PAM configuration? -- DJ Lucas -- This message has been scanned for viruses and dangerous content, and is believed to be clean. -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
