Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 12 Aug 2012 20:31:10 -0400
From: Rich Felker <>
Subject: Re: Design for extensible passwd[/shadow?] db support

On Sun, Aug 12, 2012 at 08:26:24PM -0400, wrote:
> > Presumably at some point, musl will be used in environments where it's
> > not feasible to have the entire user database in a flat password file.
> > Despite NIS being hideous, largish institutions use it for this
> > reason; presumably LDAP is a much better option, and there may be
> > other options still I'm not aware of.
> Out of curiosity, is PAM excluded from consideration? Does it require a
> dynamically-loaded library?

PAM is not an implementation of the user database. It's for
authenticating logins. Completely different problem domain.

> > The first main question is what protocol to use. One really simple
> > choice would be a plain text protocol where the name/uid of requested
> > user is sent over a socket (probably a datagram unix socket) and the
> > response comes back in standard colon-delimited passwd format for the
> > existing passwd code to parse. This seems very clean, but as far as I
> > know it doesn't have any existing implementations.
> I presume, for security reasons, that this would be the contents of
> /etc/passwd as found on shadow-enabled systems...but how does the password
> get authenticated?
> Or are unix sockets immune to sniffing?

Yes, they're immune to sniffing. The decision to use shadow or not is
independent of the decision on how to acess the user database.

> > Alternatively, we could make musl speak an existing query language
> > (e.g. LDAP) directly, such that it could interface with any existing
> > server out there that speaks the chosen protocol, or with a proxy that
> > translates to other protocols like NIS.
> If you do any sort of communication over sockets/networks/... with a
> daemon, I'd suggest having musl communicate with a PAM-capable daemon.
> PAM is meant for scenarios like this.

No, PAM is made for logging in. Not telling which user has which uid
and what their realnames, home directories, or preferred shells are..


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.