Date: Tue, 7 Sep 2021 14:37:44 +0300 From: Konstantin Belousov <kostikbel@gmail.com> To: freebsd-current@freebsd.org, FreeBSD Hackers <freebsd-hackers@freebsd.org> Subject: Re: PAM module for loading ZFS keys on login Message-ID: <YTdPCPq7QhiKrmXr@kib.kiev.ua> In-Reply-To: <20210906140137.iGt2J%steffen@sdaoden.eu> References: <b4d216da-d4b8-12a6-3873-566e5044678c@metricspace.net> <67F44CFE-2496-4B13-8583-8A80D9ED3A4A@unrelenting.technology> <b265fa82-53f2-59f4-65c2-b07a9412bf83@metricspace.net> <20210906140137.iGt2J%steffen@sdaoden.eu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Sep 06, 2021 at 04:01:37PM +0200, Steffen Nurpmeso wrote: > Eric McCorkle wrote in > <b265fa82-53f2-59f4-65c2-b07a9412bf83@metricspace.net>: > |Interesting, I wasn't aware of the upstream module. I'd say that's > > It's existence was the reason i have readded (now optional, and > a tad different) session support for my pam_xdg PAM module, > because i was thinking that, if such a many-eyes-seen thing of > a software project that claims to be and aims at being enterprise, > ships such a terrible and terribly broken thing, then i can also > offer session tracking. But my manual at least states > > CAVEATS > On Unix systems any “daemonized” program or script is reparented to the > program running with PID 1, most likely leaving the PAM user session > without PAM recognizing this. Yet careless such code may hold or expect > availability of resources of the session it just left, truly performing > cleanup when sessions end seems thus unwise. Since so many PAM modules > do support session tracking and cleanup pam_xdg.so readded optional sup‐ > port for this. If you use reaper facility, that would ensure that all (grand-)children of your session are always reparented to the reaper and not to init. In other words, you can reliable know when the session ends. See procctl(2) PROC_REAP_* commands. I believe that reaper-like functionality is available on all current Unix-like systems, even if under different names. > > But the real solution would be PAM session tracking in-kernel, > somehow, wouldn't it? > Also, on FreeBSD and OpenPAM many separate files exist in > /etc/pam.d for things which might open a session, whereas linuxpam > at least has /etc/pam.d/common-session; it has many common- things > in fact, and in /etc/pam.d/sshd i for example see > > # > # /etc/pam.d/sshd - openssh service module configuration > # > > auth include common-auth > > account include common-account > > password include common-password > > session include common-session > > --steffen > | > |Der Kragenbaer, The moon bear, > |der holt sich munter he cheerfully and one by one > |einen nach dem anderen runter wa.ks himself off > |(By Robert Gernhardt) >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YTdPCPq7QhiKrmXr>