Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 19 Mar 2012 05:48:11 +0400
From: Solar Designer <solar@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: Re: hardened-shadow, a shadow suite that has tcb built-in

On Thu, Mar 15, 2012 at 05:03:09PM +0100, Pawe?? Hajdan, Jr. wrote:
> On Wed, Mar 14, 2012 at 23:53, Solar Designer <solar@...nwall.com> wrote:
> 
> > > It's an alternative implementation of shadow utilities
> > > (login, su, passwd and so on), inspired by Openwall's tcb.
> >
> > Actually, for these three things you mentioned, we use SimplePAMApps
> > (with our patches), not the shadow suite.
> 
> Interesting, is 0.60 the latest version of SimplePAMApps? If not, where's
> the latest version?

As far as I'm aware, 0.60 is the latest.  That's what both Owl and ALT
Linux use (with patches).

> Here are links I could find easily:
> 
> http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/SimplePAMApps/

These are our patches to SimplePAMApps.

> http://sisyphus.ru/en/srpm/Sisyphus/SimplePAMApps/sources

This has the original SimplePAMApps 0.60 tarball in uncompressed form.
The original .tar.gz may be had e.g. from the Owl sources tree:

http://mirrors.kernel.org/openwall/Owl/current/sources/Owl/packages/SimplePAMApps/

In Owl, we have this separation between pristine source tarballs and our
patches into two trees, both of which are used during Owl build.

> > This sounds good, except that for the PAM and NSS modules it could be
> > better to just use those we have in our tcb.  And when its /etc/tcb mode
> > is not needed, then for NSS just use glibc's.  By introducing your
> > alternatives, you potentially increase the total number of bugs in
> > implementations that are in use on different systems.  While I admit
> > that I am guilty for doing similar things (re-implementations) in other
> > cases, arguably there has to be a good reason to introduce a new
> > implementation.  What are your reasons to introduce and maintain yet
> > another pam_unix clone when we already have and maintain pam_tcb?
> 
> That's a good question, and I was also thinking about it before making that
> decision.
> 
> First, when adding tcb support to shadow, I noticed there is some
> duplication (of code but also of knowledge, i.e. coupling) that could be
> solved by moving more code to libtcb, or re-implementing the whole thing as
> a single package (that's what I did with hardened-shadow).
> 
> The hardened_shadow PAM module and NSSwitch module use code from common/,
> especially file.c.

OK.

> I decided to base hardened_shadow PAM module on pam_unix instead of pam_tcb
> because I want hardened-shadow to be as compatible with shadow-utils and
> pam_unix as possible.

Is our pam_tcb somehow less compatible with Linux-PAM's pam_unix than
your module is?

> Note that I'm going to work more on that PAM code, so contributions to
> bring it closer to pam_tcb (or replace it with pam_tcb) could be
> interesting.

At this time, I don't see why you couldn't just use pam_tcb as-is.

> The pam_tcb code would need some changes anyway, e.g. to use
> hardened-shadow.h.

What would it need to use from there, specifically?  Is that about your
first comment above (de-duplication of some code? shadow file rewrites?)

> > FWIW, I noticed that you also excluded gpasswd - you could want to
> > document that in your list of missing features.
> 
> Right, that was also on purpose - I think nowadays password-protected
> groups are not really used, and they increase complexity of the tools.

I agree.

Thanks,

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ