[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: pam library (and dependancy) policies

On Mon, Aug 19, 2002 at 10:52:43PM -0400, Joe Phillips wrote:
> I searched the mail list archives but nothing obvious turned up.

> I'm attempting to package a project that has a handful of both
> executables and libraries.  

> One of the libraries is a pam module that AFAIK depends on the some of
> the other shared libraries.  Currently, my package installs the shared
> libraries in /usr/lib.  I'm now trying to figure out what to do with the
> PAM library.

> the first issue is that the ./configure script has no way to say
> 'install the PAM library here'.  It basically goes where ever the other
> libraries go - /usr/lib.

> Now, I see that other Debian PAM libraries go into /lib/security/.  I
> understand the motivation for having PAM libraries under /lib, so I want
> my PAM library to go there as well.  As I understand it, we want PAM
> libs in /lib so they're available even when /usr may not be - eg. early
> in boot or a stripped-down system.  some people like to nfs-mount /usr
> for example - what if the server's down.

> well, if /usr is unavailable, my PAM lib may fail to work even if it
> were installed in /lib/security due to the fact that it depends on other
> libs that are in /usr/lib.  This means I may want to in fact have the
> PAM lib's dependancies installed in /lib as well.


$ dpkg -L libpam-smbpass | grep so
$ ldd /lib/security/pam_smbpass.so | grep /usr
        libcups.so.2 => /usr/lib/libcups.so.2 (0x40096000)
        libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x400f5000)
        libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x40106000)
        libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x4015b000)
        liblber.so.2 => /usr/lib/liblber.so.2 (0x4016c000)
        libldap.so.2 => /usr/lib/libldap.so.2 (0x40178000)
        libsasl.so.7 => /usr/lib/libsasl.so.7 (0x402cd000)

Basically, any PAM-enabled app that needs to function before /usr is
mounted (are there any?) can't reference such a module in its PAM config
file.  If the module itself is in /usr, it will fail; if the libraries it
depends on are in /usr, it will fail.

But once /usr is mounted, it doesn't matter where the files are, so
putting the module in /lib/security with all the rest of the PAM modules
is as good a place as any.

Since no Debian policy can keep admins from referencing files in /usr
when they shouldn't, I think this is as good a solution as any.

This is not policy, but it's the status quo; I can find at least 3 other
PAM modules in Debian that handle this the same way.

Steve Langasek
postmodern programmer

Attachment: pgpxEuzliPf90.pgp
Description: PGP signature

Reply to: