On 4.7.2012 3:35, DJ Lucas wrote: > On 07/02/2012 01:47 AM, Armin K. wrote: >> It is not my fault that sudo is broken when it comes to pam. Everything >> else works but it and I don't want to sacrifice everything else for some >> stuff I don't care about. Just don't use system-session in sudo in the >> first place like I do. > Well, that is the problem, sudo isn't broken, it is just doing what it > was told to do. I'm going to disagree with you about sudo including > session defaults (see below), but I'm going to follow your example > nonetheless. I don't particularly like it as it was not what I had > intended when I wrote those files, but it looks like you and Ubuntu do > agree on it. They have added a common-session-noninteractive to handle > this particular use case since I last visited their configuration (for > which I based a good portion of BLFS's PAM configuration, though > minimalist). While I dislike it, seeing as I did base it from theirs, > I'm going to continue to follow their lead and do similar. ck_connector > and loginuid will require no changes in your instructions this way, and > the new can be used for cron and samba later on (as in Ubuntu, so this > might even be expected by some users). > > As far as your sudo configuration, for what reason do you not follow the > book?
Sudo does not work if pam_systemd is active (provides possibly the same functionality as pam_ck_connector). It is sudo's fault, not other apps' since everything else works but that one. I don't have any problems with Cronie, Samba, SSHD or so using system-session with pam_systemd AND pam_ck_connector. > Only the above, or do you go well beyond the minimal defaults? I am not minimalist. > If > so, do you have any other suggestions? I wasn't aware that any other > editors actually used it. While I'm browsing through it, I see a few > other wrinkles, for instance, session limits should probably be added to > system-session as well--while no limits are configured by default, it is > probably surprising to an end user if they make changes and they don't > see them immediately. I'm going to pick through it a little more as our > defaults are getting a little long in the tooth (about 2 years old now). > I'd like to keep pam_unix as a session module in system-session for > logging though. In the case of sudo, it is an easy way to catch abuse > cases of 'sudo su' or 'sudo bash' or similar. Do you have any other > suggestions for the default PAM configuration? > No. > -- DJ Lucas > > -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
