[Bug 943474] New: Adding support for local pam.d/common-session adjustments not affected by pam-config
http://bugzilla.novell.com/show_bug.cgi?id=943474 Bug ID: 943474 Summary: Adding support for local pam.d/common-session adjustments not affected by pam-config Classification: openSUSE Product: openSUSE Factory Version: 201505* Hardware: Other OS: Other Status: NEW Severity: Enhancement Priority: P5 - None Component: Basesystem Assignee: bnc-team-screening@forge.provo.novell.com Reporter: nettezzaumanaa@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Hello, I've spent some time investigating how is PAM subsystem implemented in suse and ran to interesting issue. In lot of pam.d/ files is mentioned in the header comment, that these files are generated automatically by pam-config and all user changes will be lost during the regeneration of these files .. One of the most important file is pam.d/common-session, which is included (sourced) to other files (like pam.d/{login,xdm, etc ...}). Some sysadmins prefer to have trainwrecks under theirs control and modify these files manually. Yast also at certain situation might trigger refreshing these pam.d/ files which results, in lost configurations made by hand .. My suggestion is, to set up our default PAM that it supports (for example) pam.d/common-session-local that will be included (sourced) to common-session but that won't be re-generated by pam-config so that will make possible, to put additional manual changes in there (the changes which are not possible to do via pam-config) .. Example of such a reasonable change is a proper umask setting per user/group via: session [default=1 success=ignore] pam_succeed_if.so quiet user ingroup secret-agents session optional pam_umask.so umask=0077 session [default=1 success=ignore] pam_succeed_if.so quiet uid eq 1005 session optional pam_umask.so umask=0002' ^^ this is correct way to set umask for specified users/groups that is not available from pam-config or from yast .. Mentioned common-session is example and -local suffix might be advantageous in case of few other files as well .. regards, daniel -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com