Releases/FeatureRemovePAMConsole

From FedoraProject

Jump to: navigation, search

Contents

Remove pam_console

Summary

We need to remove pam_console and migrate all users to use the ACLs as set by HAL.

Owner

  • Names: DavidZeuthen, BillNottingham, TomasMraz

Current status

  • Targeted release: Fedora 8
  • Last updated: [[DateTime(2007-07-19T14:59:21Z)]
  • Percentage of completion: 85%

Detailed Description

The use of pam_console is twofold

1. To maintain /var/run/console 1. To chown certain device nodes. This is controlled by the configuration file /etc/security/console.perms and configurations files in the directory /etc/security/console.perms.d

Other applications in Fedora depend on this. As such, pam_console provides an ABI and removing pam_console breaks this ABI. For example, D-Bus relies on files in /var/run/console to implement the "at_console" policy directive. Third party packages relies on being able to drop a file in /etc/security/console.perms.d.

Some problems with pam_console:

1. It breaks any notion of multi-user systems, e.g. fast-user-switching and, in the future, multi-seat 1. Device file owner ship is based on device file names 1. Potential security problems of device file ownership if pam_end() isn't called 1. We really want to both remove ACL and call revoke() on device nodes for fast-user-switching. This is to prevent the user of the inactive session B spying on the user of the active session A using webcam, soundcards.

It should be noted that except for derived distributions and a few minor distributions, pam_console is Fedora specific.

Benefit to Fedora

When using fast-user-swtiching or similar multi-head setups, pam_console is insufficient; it does not know of active and inactive sessions, nor can it allow multiple users access at once.

Scope

1. Make sure all needed devices are covered by the HAL ACL code. 1. Make sure all required apps use these devices. 1. Disable pam_console in the PAM configuration 1. Remove the udev rules that exist solely for pam_console's benefit (CD writer devices, scanner devices, etc.)

This still leaves us, at least, with the problem of files from 3rd party packages in /etc/security/console.perms.d. Fundamentally, such files are flawed; they rely on device names and nothing more.

Proposal:

For Fedora 8, we should keep pam_console around but don't make it chown devices already covered by HAL. I can provide an extensive list. - DONE

For Fedora 9, we will then

1. add code to HAL to make it easier for 3rd party packages to easily tell HAL what devices to grant ACL's to. It's possible today, but it's a bit convoluted to say the least. 1. blacklist /etc/security/console.perms.d [1] 1. make ConsoleKit manage /var/run/console for backwards compat (should be easy) 1. fix all apps relying on /var/run/console to use ConsoleKit

[1]  : This means we would need a feature in the build system to reject any package that provide files in /etc/security/console.perms.d. It's a nice buildsys feature to have anyway.

Test Plan

1. Make sure users logged in on the console can burn CDs, mount USB disks, use PDAs, scan documents, etc.

User Experience

Dependencies

1. HAL 1. ConsoleKit 1. Others

Contingency Plan

Documentation

Release Notes