Re: Micro-report: using Stable without systemd

To: debian-user@lists.debian.org
Subject: Re: Micro-report: using Stable without systemd
From: Morel Bérenger <berenger.morel@sga-automation.com>
Date: Thu, 18 Oct 2018 11:35:59 +0200
Message-id: <[🔎] 20181018113559.616856b6@portablesystem>
In-reply-to: <[🔎] 201810171302.23345.gheskett@shentel.net>
References: <[🔎] 20181014142315.cwj3egkdvc76jnw4@randomstring.org> <[🔎] 201810170440.49454.gheskett@shentel.net> <[🔎] 20181017113838.2af7e190@PC-dev2> <[🔎] 201810171302.23345.gheskett@shentel.net>

Le Wed, 17 Oct 2018 13:02:23 -0400,
Gene Heskett <gheskett@shentel.net> a écrit :

> On Wednesday 17 October 2018 05:38:38 Morel Bérenger wrote:
> 
> > Le Wed, 17 Oct 2018 04:40:49 -0400,
> >
> > Gene Heskett <gheskett@shentel.net> a écrit :  
> > > On Wednesday 17 October 2018 04:00:37 Morel Bérenger wrote:  
> > > > Le Tue, 16 Oct 2018 17:53:37 -0400,
> > > >
> > > > Gene Heskett <gheskett@shentel.net> a écrit :  
> > > > > On Tuesday 16 October 2018 13:11:45 Greg Wooledge wrote:  
> > > > > > On Tue, Oct 16, 2018 at 12:43:40PM -0400, Gene Heskett
> > > > > > wrote:  
> > > > > > > #1 is ssh -Y has been killed from jessie on. No excuse for
> > > > > > > doing it and bug filing is ignored.  
> > > > > >
> > > > > > I don't know what you mean by this.  I just performed the
> > > > > > following experiment on my stretch workstation (wooledg), in
> > > > > > communications with a stretch server (arc3) elsewhere on our
> > > > > > network.
> > > > > >
> > > > > > 1) Already logged into wooledg, I opened a new urxvt window.
> > > > > >
> > > > > > 2) In this window, I typed: ssh -Y arc3
> > > > > >
> > > > > > 3) After authenticating to arc3 with a password, at the
> > > > > > shell prompt, I typed: xterm
> > > > > >
> > > > > > 4) After a moment, a new xterm window appeared on my
> > > > > > display.  
> > > > >
> > > > > Thats expected. Now enter synaptic-pkexec. It should ask you,
> > > > > if you are user 1000, for a passwd and given it, it will run.
> > > > > But after wheezy, its not possible. LinuxCNC's graphics needs
> > > > > are modest, and it will run, as the user. But its not root.
> > > > > And root is denied regardless of how you go about obtaining
> > > > > root permissions.  
> > > >
> > > > Also, I wonder if you tried to do that through, for example
> > > > Xephyr? Might workaround the issue you have?  
> > >
> > > Well I was just reminded that gksudo works. Now what the heck is
> > > Xephyr? Google says its x on x, whatever that means. I'll try to
> > > remember that and play with it if its available for wheezy &
> > > later.
> > >
> > > Thanks Morel Bérenger.  
> >
> > The ncurses mode of aptitude says Xephyr is a X server that can be
> > executed inside another X server, more or less like Xnest (or xming,
> > for people like me that had to work on a windows station but wanted
> > to keep a nice wm embedded on personal hardware ;)).
> >
> > I can not really explain how this works, but in short you could
> > consider a remote system providing the performances stuff (hard disk
> > space, strong CPU, tons or RAM...) and opening the X session on
> > local systems.
> > I think it might fix your problem because basically, su-programs
> > (probably PAM modules, in fact) do some security related checks to
> > avoid passwords to be sniffed by a client on another computer: which
> > is what I would expect a ssh -Y gksudo do.
> >
> > If my explanation is not clear (and I'm certain of it), it's
> > because I don't really master that side of systems, sorry for
> > that :)  
> 
> You at least, dug deep enough to see that pam was probably the guilty 
> party,

I have not dug, not even a minute. It's just that I've always played a
lot with my debians, and I started really using it when Lenny was
testing.
Playing with apt-pining, agetty alternatives and alike tends to teach
some stuff, especially when one starts to have some years of background
to compare.
You know, the month I started really using something different from
windows, I stopped spitting on that system, because I understood that
(most of) the crashes were not windows' fault but coders doing their
job the wrong way.
It's so easy to hit the 1st thing one can see.

> same conclusion I reached. Unforch, removing pam also pretty
> much nukes the whole system.

Building a PAM-less distro based on Debian would be quite the
challenge, for sure.
I intend to try, some day, just for fun (PAM might also be part of the
reason Xorg have to be started by root, on sysV, and since systemd
comes into the game, this might have allowed them this improvement. It
seems the *BSD guys are taking a very different approach, I must learn
how they do that, because loading as root a shared library just to
read 2 files (or ask a server) seems bad for both performance and
security to me).

But I do not think it's the smartest solution to fix an actual,
real-life problem.
PAM is basically a set of dynamic libraries, and in theory (never
played with it, the whole model as I know it seems disgusting to me) you
can configure it to use a "module" or another one to identify a user or
an application.
Maybe this would be easier than hacking the whole distro to remove PAM.

Reply to:

References:
- Micro-report: using Stable without systemd
  - From: Dan Ritter <dsr@randomstring.org>
- Re: Micro-report: using Stable without systemd
  - From: Gene Heskett <gheskett@shentel.net>
- Re: Micro-report: using Stable without systemd
  - From: Morel Bérenger <berenger.morel@sga-automation.com>
- Re: Micro-report: using Stable without systemd
  - From: Gene Heskett <gheskett@shentel.net>

Prev by Date: Re: basilisk-browser
Next by Date: Re: basilisk-browser
Previous by thread: Re: Micro-report: using Stable without systemd
Next by thread: Re: Micro-report: using Stable without systemd
Index(es):
- Date
- Thread