2019-05-21 00:06 UTC+02:00, Christian Heimes <christ...@python.org> wrote: > On 20/05/2019 23.27, Antoine Pitrou wrote: >> Removing the crypt module would remove support for system-standard >> password files. I don't understand the rationale. > > Applications *must* not access system-standard password files directly. On > any sanely and securely configured systems, application cannot even access > system password files like /etc/shadow. Access restrictions and system > security policies will prevent read access. Also applications cannot assume > that users are present in any user file. They may come from LDAP, SSSD, > ActiveDirectory, or other sources. > > The correct way to interact with system users is to use the proper APIs, > that are NSS (name service switch) and PAM (pluggable authentication > modules). NSS looks up and enumerate users and groups. PAM performs password > validation and much, much, much more. The pwd and grp modules use the > correct APIs to interact with NSS. If you need to check or change passwords, > you must go through PAM.
It is possible to have a modern Linux desktop system with PAM not installed at all, and therefore not used. Examples of packages in Gentoo Linux which have OPTIONAL dependency on PAM: shadow, sudo, openssh, libcap, systemd, util-linux, screen, cronie, polkit, cups, sddm, kscreenlocker, xscreensaver (So a KDE Plasma desktop environment and its direct and indirect dependencies can be installed without PAM.) The suggested substitutes for spwd module, i.e. python-pam and simpleplam, look like they would not work on a PAM-free system. -- Arfrever Frehtes Taifersar Arahesis _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com