ruserok et al

ruserok et al

[Raphael Cohn]

[-- Attachment #1: Type: text/plain, Size: 1228 bytes --]

Dear List,

Whilst compiling pam_rhosts in Linux PAM 1.1.8 (pam_rhosts.c), it tries to
use the function 'ruserok'. I believe this, and its siblings, aren't in
musl. Quite correctly, I suspect - I presume these relate to the legacy 'r'
commands that no one in their right mind should be using. I'll be patching
my installation to remove this module from the build (*sigh* Linux pam
doesn't make choosing a subset of modules easy).

Would it make sense, for completeness to add stubs to musl to do either:-
- return the failure outcome;
- or, return a nasty warning and a failure outcome? And a syslog on runtime
use to really give users a kick?

Alternatively, it might be a good idea to not do this, but have a wiki page
somewhere listing deliberately unimplemented and stub functions.

Raph

Raphael Cohn
Chief Architect, stormmq
Co-Chair, OASIS MQTT Standard
Secretary, OASIS AMQP Standard
raphael.cohn@stormmq.com
+44 7590 675 756

UK Office:
Hamblethorpe Farm, Crag Lane, Bradley BD20 9DB, North Yorkshire, United
Kingdom
Telephone: +44 845 3712 567

Registered office:
16 Anchor Street, Chelmsford, Essex, CM2 0JY, United Kingdom
StormMQ Limited is Registered in England and Wales under Company Number
07175657
StormMQ.com

[-- Attachment #2: Type: text/html, Size: 1683 bytes --]

Re: ruserok et al

[Rich Felker]

On Wed, Dec 04, 2013 at 02:12:31PM +0000, Raphael Cohn wrote:
> Dear List,
> 
> Whilst compiling pam_rhosts in Linux PAM 1.1.8 (pam_rhosts.c), it tries to
> use the function 'ruserok'. I believe this, and its siblings, aren't in

This is part of the legacy rhosts API for source-IP-address-based
authentication. It's useless, dangerous, and really disturbing that
PAM even supports something that was obsolete and known-dangerous a
decade before PAM was invented... My first reaction would be to say
"patch it out and send a bug report upstream".

> musl. Quite correctly, I suspect - I presume these relate to the legacy 'r'
> commands that no one in their right mind should be using. I'll be patching
> my installation to remove this module from the build (*sigh* Linux pam
> doesn't make choosing a subset of modules easy).

Yes, this is the right solution, but we should try (diplomatically :)
to get upstream fixed too.

> Would it make sense, for completeness to add stubs to musl to do either:-
> - return the failure outcome;
> - or, return a nasty warning and a failure outcome? And a syslog on runtime
> use to really give users a kick?

A stub that just returns failure would not be such a bad thing, but
when it's such a harmful a function that only a single package has
been caught using, I'd rather try to get it fixed upstream.
Compatibility with broken apps/libs is a continuous stream of choices
whether to work around the brokenness in musl (often this has tiny
marginal cost but that cost builds up over time with lots of broken
packages) or make the efforts to get the upstream fixed.

> Alternatively, it might be a good idea to not do this, but have a wiki page
> somewhere listing deliberately unimplemented and stub functions.

That might be a good idea anyway even if we don't add more such
functions.

Rich

Re: ruserok et al

[Raphael Cohn]

[-- Attachment #1: Type: text/plain, Size: 2915 bytes --]

I'm not sure I'll get anywhere with upstream... There's other dubious stuff
in Linux PAM, too. Indeed a quick list of stuff that looks at least suspect
to my mind is:-

wheel (sudo et al are a better solution)
userdb (why? Isn't /etc/passwd already a local database?)
tally (defunct)
time (obsolecent; why restrict logins to certain times in this day and age
when not using time shared systems and dial up)
pwhistory (stores previous passwords ?potentially recoverably)
permit (insecure)
nologin (security risk; forces root to be special)
mail (old-fashioned and of limited use in a server or desktop today)
group (security risk; unnecessary extra complexity in addition to
/etc/group)
ftp (in 2013? And it reckons it's easily spoofed in its own man page)
debug (unnecessary)

but none of that has to do with musl (although dropping time means there's
less patching to do to support legacy NIS junk)...

Anyway, now I'm off-topic.


On 4 December 2013 17:05, Rich Felker <dalias@aerifal.cx> wrote:

> On Wed, Dec 04, 2013 at 02:12:31PM +0000, Raphael Cohn wrote:
> > Dear List,
> >
> > Whilst compiling pam_rhosts in Linux PAM 1.1.8 (pam_rhosts.c), it tries
> to
> > use the function 'ruserok'. I believe this, and its siblings, aren't in
>
> This is part of the legacy rhosts API for source-IP-address-based
> authentication. It's useless, dangerous, and really disturbing that
> PAM even supports something that was obsolete and known-dangerous a
> decade before PAM was invented... My first reaction would be to say
> "patch it out and send a bug report upstream".
>
> > musl. Quite correctly, I suspect - I presume these relate to the legacy
> 'r'
> > commands that no one in their right mind should be using. I'll be
> patching
> > my installation to remove this module from the build (*sigh* Linux pam
> > doesn't make choosing a subset of modules easy).
>
> Yes, this is the right solution, but we should try (diplomatically :)
> to get upstream fixed too.
>
> > Would it make sense, for completeness to add stubs to musl to do either:-
> > - return the failure outcome;
> > - or, return a nasty warning and a failure outcome? And a syslog on
> runtime
> > use to really give users a kick?
>
> A stub that just returns failure would not be such a bad thing, but
> when it's such a harmful a function that only a single package has
> been caught using, I'd rather try to get it fixed upstream.
> Compatibility with broken apps/libs is a continuous stream of choices
> whether to work around the brokenness in musl (often this has tiny
> marginal cost but that cost builds up over time with lots of broken
> packages) or make the efforts to get the upstream fixed.
>
> > Alternatively, it might be a good idea to not do this, but have a wiki
> page
> > somewhere listing deliberately unimplemented and stub functions.
>
> That might be a good idea anyway even if we don't add more such
> functions.
>
> Rich
>

[-- Attachment #2: Type: text/html, Size: 3736 bytes --]

Re: ruserok et al

[Daniel Cegiełka]

Better to musl fits OpenPAM. The modules can be found in the repo
NetBSD and FreeBSD. It needs some work, but the whole authentication
userland can be ported eg from FreeBSD.

http://www.openpam.org/

https://github.com/freebsd/freebsd/tree/master/contrib/openpam
https://github.com/freebsd/freebsd/tree/master/lib/libpam/modules
https://github.com/freebsd/freebsd/tree/master/contrib/pam_modules

Daniel