On 22/05/2019 06.20, Arfrever Frehtes Taifersar Arahesis wrote: > 2019-05-21 00:06 UTC+02:00, Christian Heimes <christ...@python.org> wrote: >> On 20/05/2019 23.27, Antoine Pitrou wrote: >>> Removing the crypt module would remove support for system-standard >>> password files. I don't understand the rationale. >> >> Applications *must* not access system-standard password files directly. On >> any sanely and securely configured systems, application cannot even access >> system password files like /etc/shadow. Access restrictions and system >> security policies will prevent read access. Also applications cannot assume >> that users are present in any user file. They may come from LDAP, SSSD, >> ActiveDirectory, or other sources. >> >> The correct way to interact with system users is to use the proper APIs, >> that are NSS (name service switch) and PAM (pluggable authentication >> modules). NSS looks up and enumerate users and groups. PAM performs password >> validation and much, much, much more. The pwd and grp modules use the >> correct APIs to interact with NSS. If you need to check or change passwords, >> you must go through PAM. > > It is possible to have a modern Linux desktop system with PAM not > installed at all, and therefore not used. > > Examples of packages in Gentoo Linux which have OPTIONAL dependency on PAM: > shadow, sudo, openssh, libcap, systemd, util-linux, screen, cronie, > polkit, cups, sddm, kscreenlocker, xscreensaver > (So a KDE Plasma desktop environment and its direct and indirect > dependencies can be installed without PAM.) > > The suggested substitutes for spwd module, i.e. python-pam and > simpleplam, look like they would not work on a PAM-free system. Thanks for bringing this up. I don't think we need to care about this care.
A PAM-free Linux system is an IMHO very special and exotic case. It's certainly not a setup anybody should run on a server. There are a lot of good reasons to use PAM. I'll update the BPO with reasons soonish. By the way, the /etc/shadow shadow(5) format is trivial and can be parsed with a few lines of code. There is no need to use spwd. Christian _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
