From nobody Mon Sep 6 14:01:37 2021 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 3FB6917BCB87; Tue, 7 Sep 2021 11:29:17 +0000 (UTC) (envelope-from steffen@sdaoden.eu) Received: from sdaoden.eu (sdaoden.eu [217.144.132.164]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4H3jhr3k8bz4X5P; Tue, 7 Sep 2021 11:29:16 +0000 (UTC) (envelope-from steffen@sdaoden.eu) Received: from kent.sdaoden.eu (kent.sdaoden.eu [10.5.0.2]) by sdaoden.eu (Postfix) with ESMTPS id 7B9C716056; Mon, 6 Sep 2021 16:01:39 +0200 (CEST) Received: by kent.sdaoden.eu (Postfix, from userid 1000) id 8D281F7B; Mon, 6 Sep 2021 16:01:37 +0200 (CEST) Date: Mon, 06 Sep 2021 16:01:37 +0200 Author: Steffen Nurpmeso From: Steffen Nurpmeso To: freebsd-current@freebsd.org Cc: Eric McCorkle , Greg , FreeBSD Hackers Subject: Re: PAM module for loading ZFS keys on login Message-ID: <20210906140137.iGt2J%steffen@sdaoden.eu> In-Reply-To: References: <67F44CFE-2496-4B13-8583-8A80D9ED3A4A@unrelenting.technology> Mail-Followup-To: freebsd-current@freebsd.org, Eric McCorkle , Greg , FreeBSD Hackers User-Agent: s-nail v14.9.22-175-gc118a4a5c7 OpenPGP: id=EE19E1C1F2F7054F8D3954D8308964B51883A0DD; url=https://ftp.sdaoden.eu/steffen.asc; preference=signencrypt BlahBlahBlah: Any stupid boy can crush a beetle. But all the professors in the world can make no bugs. List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4H3jhr3k8bz4X5P X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of steffen@sdaoden.eu designates 217.144.132.164 as permitted sender) smtp.mailfrom=steffen@sdaoden.eu X-Spamd-Result: default: False [-2.30 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; R_SPF_ALLOW(-0.20)[+a:c]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[sdaoden.eu]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-1.00)[-0.999]; MID_CONTAINS_FROM(1.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:15987, ipnet:217.144.128.0/20, country:DE]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-Spam: Yes X-ThisMailContainsUnwantedMimeParts: N Eric McCorkle wrote in : |Interesting, I wasn't aware of the upstream module. I'd say that's It's existence was the reason i have readded (now optional, and a tad different) session support for my pam_xdg PAM module, because i was thinking that, if such a many-eyes-seen thing of a software project that claims to be and aims at being enterprise, ships such a terrible and terribly broken thing, then i can also offer session tracking. But my manual at least states CAVEATS On Unix systems any =E2=80=9Cdaemonized=E2=80=9D program or script i= s reparented to the program running with PID 1, most likely leaving the PAM user session without PAM recognizing this. Yet careless such code may hold or ex= pect availability of resources of the session it just left, truly perform= ing cleanup when sessions end seems thus unwise. Since so many PAM modu= les do support session tracking and cleanup pam_xdg.so readded optional = sup=E2=80=90 port for this. But the real solution would be PAM session tracking in-kernel, somehow, wouldn't it? Also, on FreeBSD and OpenPAM many separate files exist in /etc/pam.d for things which might open a session, whereas linuxpam at least has /etc/pam.d/common-session; it has many common- things in fact, and in /etc/pam.d/sshd i for example see # # /etc/pam.d/sshd - openssh service module configuration # auth include common-auth account include common-account password include common-password session include common-session --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)