[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

New PAM abstraction: /etc/pam.d/common-session-noninteractive

Hi folks,

With the upload of pam 1.0.1-11 to unstable, we've fixed a long-standing bug
in the /etc/pam.d/common-* abstractions:  namely, that there was no way to
set separate system-wide policies for interactive vs. non-interactive
sessions (bug #169930).

The PAM MiniPolicy (/usr/share/doc/libpam0g/Debian-PAM-MiniPolicy.gz)
explains this new functionality as follows:

  The selection of common-session or common-session-noninteractive is based
  on whether the service provides "shell-like" interactive capabilities to
  the user (e.g.: login, ssh, gdm) or is a non-interactive session or a
  session mediated by a structured protocol (e.g.: cron, cups, samba, ppp).
  This allows a service to avoid calling some modules, such as
  pam_ck_connector, that only make sense in an interactive context and
  should be avoided otherwise.  It is expected that the modules used for
  noninteractive sessions will always be a subset of those used for
  interactive sessions.


  Applications that use common-session-noninteractive must depend
  on libpam-runtime (>= 1.0.1-11) for this file.

So if you maintain a package that provides a PAM-using service and
implements non-interactive sessions, there's a transition ahead.  Please
consider changing your /etc/pam.d/ config file to include
common-session-noninteractive instead of common-session, and add a versioned
dependency on libpam-runtime (>= 1.0.1-11), at your convenience.

If you have doubts about whether your package should use common-session vs.
common-session-noninteractive, feel free to contact the PAM maintainers
(mailing list cc:ed), or you can just wait for someone to file a bug on your

On the module side, we of course need a way for a profile to specify whether
its session module should be used for interactive sessions only, or for all
sessions.  https://wiki.ubuntu.com/PAMConfigFrameworkSpec[1] has been updated
to document a new profile field for this:

   A profile which declares it implements the session module type may also
   use the field Session-Interactive-Only: yes to indicate it should only be
   used in sessions for interactive services (e.g.: login, ssh, gdm).

Of the top of my head, the only module package I know which already
implements pam-auth-update support and will need to change for this is
libpam-ck-connector, which I'll file a bug for shortly.  No change is needed
to the dependencies of module packages for this new feature - it will be
ignored by old versions of pam-auth-update, and automatically recognized by
new versions on upgrade.

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

[1] which is way overdue for merging into the PAM MiniPolicy...

Attachment: signature.asc
Description: Digital signature

Reply to: