[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?

Steve Langasek steve.langasek at canonical.com
Sat May 15 09:55:16 BST 2010 

On Sat, May 15, 2010 at 12:31:18AM -0000, Daniel Richard G. wrote:

> This is a potential solution, but putting aside the tricky case of "what
> happens if the common-* files have customized options, and then the PAM
> profile changes?", another problem with this approach is the fragility
> of the customization. If you deselect the module, update, then reselect
> it, and update... the customized module options are gone without a
> trace. There's no way to get them back, other than making the same edit
> to the common-* files again. The only real way to safeguard such
> customizations is to revert the files to manually-edited mode.

The only way to preserve such options would be to store the authoritative
configuration somewhere other than in the configuration file.  (Right now,
we only record what the last-seen set of module defaults are; the
configuration itself is only ever stored in /etc/.)  I don't think moving
parts of the user configuration out of the config files is acceptable, and
if you disable and then re-enable a module, I don't see any reason that the
config options *should* be sticky.

> I'm not terribly comfortable with the way the "statefulness" works with
> this approach, either. The PAM configuration is not just a vector of
> bits indicating enabled/disabled profiles, but also whatever
> customizations have been made in the common-* files. If I'm not aware of
> what these customizations are, then I have no good way of knowing if my
> PAM config is just that vector, or if there's something more to it.
> There's no mechanism to tell me "here are all the module options that
> are different from what's in the profiles."

True.  We could add an option for this, but as things stand today,
pam-auth-update already implements the usual guarantee required by
Debian/Ubuntu policy - that local configuration changes are respected.
Helping the user understand which bits of the configuration *are* local
changes is gravy.

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org

-- 
Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
https://bugs.launchpad.net/bugs/369575
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to kerberos-configs in ubuntu.

More information about the Ubuntu-server-bugs mailing list