View previous topic :: View next topic |
Author |
Message |
crocket Guru
Joined: 29 Apr 2017 Posts: 558
|
Posted: Sun Oct 17, 2021 9:50 am Post subject: How to add local PAM configuration to a gentoo system. |
|
|
Whenever a package is installed, if I execute `dispatch-conf`, files in /etc/pam.d are overwritten.
I found a way to add my own local PAM configuration to files in /etc/pam.d
With /etc/portage/env/category/package-name
Code: | pkg_preinst() {
cat << EOF >> "${D}/etc/pam.d/program-name"
-auth optional pam_gnupg.so store-only
-session optional pam_gnupg.so
EOF
}
|
lines are automatically added to /etc/pam.d/program-name whenever category/program-name is installed. |
|
Back to top |
|
|
GDH-gentoo Veteran
Joined: 20 Jul 2019 Posts: 1720 Location: South America
|
Posted: Sun Oct 17, 2021 3:04 pm Post subject: Re: How to add local PAM configuration to a gentoo system. |
|
|
crocket wrote: | Whenever a package is installed, if I execute `dispatch-conf`, files in /etc/pam.d are overwritten. |
etc-update gives you the option of keeping your modified file, or selectively merge both. |
|
Back to top |
|
|
crocket Guru
Joined: 29 Apr 2017 Posts: 558
|
Posted: Mon Oct 18, 2021 11:25 am Post subject: Re: How to add local PAM configuration to a gentoo system. |
|
|
GDH-gentoo wrote: | etc-update gives you the option of keeping your modified file, or selectively merge both. |
Are you saying that etc-update is better than dispatch-conf? |
|
Back to top |
|
|
GDH-gentoo Veteran
Joined: 20 Jul 2019 Posts: 1720 Location: South America
|
Posted: Mon Oct 18, 2021 11:52 am Post subject: Re: How to add local PAM configuration to a gentoo system. |
|
|
crocket wrote: | Are you saying that etc-update is better than dispatch-conf? |
I've never used dispatch-conf, so I can't compare. I do use etc-update extensively to review the diff between configuration files first, and then decide to replace, keep, or interactively merge. |
|
Back to top |
|
|
crocket Guru
Joined: 29 Apr 2017 Posts: 558
|
Posted: Mon Oct 18, 2021 10:50 pm Post subject: |
|
|
Anyway, manually resolving differences is inferior to manipulating files in pkg_preinst. |
|
Back to top |
|
|
figueroa Advocate
Joined: 14 Aug 2005 Posts: 3007 Location: Edge of marsh USA
|
Posted: Tue Oct 19, 2021 4:26 am Post subject: |
|
|
I don't understand the problem. dispatch-conf does not regularly write in /etc/pam.d. I run dispatch-conf carefully. Also, dispatch-conf makes backups by default, and I also have nightly backups. _________________ Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20496
|
Posted: Tue Oct 19, 2021 4:42 am Post subject: |
|
|
crocket wrote: | Anyway, manually resolving differences is inferior to manipulating files in pkg_preinst. | Your example appears to append the given configuration to the existing file. Have you verified that appending is the correct order of entries within the final config file? When I've looked at PAM, it seems like that would never have been the correct behavior (I claim no PAM expertise and wish it would get replaced with something sane, so my understanding of PAM config files may be insufficient). _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
crocket Guru
Joined: 29 Apr 2017 Posts: 558
|
Posted: Tue Oct 19, 2021 5:57 am Post subject: |
|
|
Appending lines results in the exact order that I want. I used to add lines at the end manually before I discovered /etc/portage/env trick.
I also like to know anything better than PAM. I use PAM for pam_gnupg and pam_rundir.
pam_gnupg unlocks gnupg automatically upon login.
pam_rundir creates XDG_RUNTIME_DIR upon login.
At least, PAM is less toxic than dbus and udev. dbus harms security and privacy. udev is complex and tries to drag systemd into my system. |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20496
|
Posted: Wed Oct 20, 2021 5:41 am Post subject: |
|
|
Thanks. Other than prepending or appending, it seems possibly challenging to get "correct" results with this method. When I've looked at PAM, it has generally been with regards to the order of items and their need for required, sufficient and that sort of thing.
Getting those wrong can lead to major security issues. I can't recall the specifics now, but there was some instance where a PAM configuration was pushed that allowed something along the lines of authentication without a password (or it didn't matter if it was incorrect). _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
|