Re: Status of my submissions

To: Joel Klecker <jk@espy.org>
Cc: lsb-spec@lists.linuxbase.org
Subject: Re: Status of my submissions
From: Torsten Duwe <duwe@caldera.de>
Date: Wed, 5 Jan 2000 13:05:39 +0100 (CET)
Message-id: <[🔎] 14451.11557.134172.767888@ns.lst.de>
Reply-to: Torsten.Duwe@caldera.de
In-reply-to: <v04220805b49829cae4c9@[206.163.71.146]>
References: <[🔎] 200001021956.OAA11981@devserv.devel.redhat.com> <[🔎] 030a01bf5593$07ad13c0$664cddcf@rpp586> <[🔎] 38707375.53B7088D@transmeta.com> <v04220805b49829cae4c9@[206.163.71.146]>

    Joel> shadow is now fully PAM-enabled thanks to its present Debian
    Joel> maintainer (the only reason upstream doesn't have the patches
    Joel> merged is because Marek hasn't had time to make a new release yet).

[Just joining the discussion I assume you're talking about Marek
Michaelcievic's (sp?) "shadow"-package ?]

    Joel> [ Later, it's clarified that you meant "pwdb" instead of "passwddb"
    Joel> ] pwdb is a bad idea for a couple of reasons, first of all it
    Joel> duplicates the functionality of NSS, a mechanism which works fine
    Joel> and does not need to be bypassed. Second, pam_unix does everything
    Joel> pam_pwdb does without bypassing NSS.

The main reason for libpwdb was that there had been no way of determining
which database a getpw*() value came from. This is in fact irrelevant, and
duplicating the code was futile (:-) iff you're only interested in read-only
access to the "password" database. However if you're up to changing fields in
"the database", knowledge about the fields' origin is required. Hence libpwdb.

Looking at Linux-PAM-0.72/modules/pam_unix/pam_unix_passwd.c, the one and
only (?) file that needs to make such changes, I come up with the following
counter-example. It may sound a little bit artificial, but it's nevertheless
realistic and should serve the purpose of demonstrating pam_unix'
deficiencies when compared to pam_pwdb:

"
Assume I have a laptop, which I use at home, when travelling, at work, at the
university, etc. Of course I keep my own account locally in /etc/passwd. At
work / univerity / ... I want my colleagues to be able to log in and so I
start NIS. Surely I have a NIS account, too.

Now I want to change my local laptop password. I use a PAMified "passwd"
program that's configured for pam_unix use, as you propose. That one will
getpwent() the local entry, will then ask the NIS master and authenticate
using the local entry --> BAD.

libpwdb will do the equivalent of getpwent() and will record where it got the
entry from (the local /etc/passwd in this case). Further updates will go
there.
"

This is what libpwdb was designed for, and it shouldn't be simply dropped for 
something less perfect. I'd vote for integrating pam_unix, pam_pwdb and
libpwdb into something that works correctly with minimal code duplication.

Just my 2 (Euro:-) cents,

	Torsten

--
Torsten Duwe
Senior Developer
duwe@caldera.de

Reply to:

Follow-Ups:
- Re: Status of my submissions
  - From: "Julie" <jockgrrl@ix.netcom.com>

References:
- Status of my submissions
  - From: Jim Kingdon <kingdon@redhat.com>
- Re: Status of my submissions
  - From: "Julie" <jockgrrl@ix.netcom.com>
- Re: Status of my submissions
  - From: "H. Peter Anvin" <hpa@transmeta.com>
- Re: Status of my submissions
  - From: Joel Klecker <jk@espy.org>

Prev by Date: Re: Status of my submissions
Next by Date: LSB Directions (very very long...was Re: Thread deficiencies
Previous by thread: Re: Status of my submissions
Next by thread: Re: Status of my submissions
Index(es):
- Date
- Thread