From Fedora Project Wiki
No edit summary
(Add trackers)
 
(13 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= Remove pam_console =
= Remove pam_console =
{{Change_Proposal_Banner}}


== Summary ==
== Summary ==
Remove pam_console as it is broken and no longer under use.
Remove pam_console as it is not enabled by default, can be replaced by systemd and has security issues.


== Owner ==
== Owner ==
Line 15: Line 13:


== Current status ==
== Current status ==
[[Category:ChangePageIncomplete]]
[[Category:ChangeAcceptedF39]]
<!-- TODO: -->
<!-- TODO: -->
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- When your change proposal page is completed and ready for review and announcement -->
Line 33: Line 31:
ON_QA -> change is fully code complete
ON_QA -> change is fully code complete
-->
-->
* FESCo issue: <will be assigned by the Wrangler>
* [https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/3MV5G32UF2TQ3U7JZXPRLQWCQUPR7QT2/ devel thread]
* Tracker bug: <will be assigned by the Wrangler>
* FESCo issue: [https://pagure.io/fesco/issue/2945 #2945]
* Release notes tracker: <will be assigned by the Wrangler>
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=2166692 #2166692]
* Release notes tracker: [https://pagure.io/fedora-docs/release-notes/issue/965 #965]


== Detailed Description ==
== Detailed Description ==
Currently, the pam_console module is broken because one of the files needed to define the permissions (50-default.perms) is not installed in the distribution. Indeed, there was a [[Releases/FeatureRemovePAMConsole|System-Wide Change]] proposal in 2007 to remove pam_console, but it wasn't finished.
pam_console give users at the physical console additional capabilities when authenticating, and removes those capabilities when the user logs out. The module changes the permissions and ownership of files and devices.
 
pam_console has some limitations and flaws:
* Only one user can have those additional capabilities at the same time (no multi-seat)
* Potential security problems of device file ownership if the PAM conversation ending isn't executed
* Remove ACL and call revoke() on device nodes for fast-user-switching. This is to prevent the user of the inactive session B spying on the user of the active session A using webcam, sound cards, etc.
* As of today the module does nothing because one of the configuration files use to define the permissions (50-default.perms) is not installed in the distribution. Other packages may install their own configuration files to specify the permissions, but I haven't found any.
 
These additional capabilities that pam_console provides are useful to simplify the work for console users. Usually, the permissions are set for devices like the CD/DVD reader, or the disk drives. This functionality is still useful today, and it should be managed with systemd-logind, rather than with a PAM module. This systemd service takes care of user sessions, multi-seat management, device access management... This would increase the security level of the system, and enable multi-seat for the file and device permissions. For more information on systemd-logind implementation refer to the documentation on how to [https://www.freedesktop.org/wiki/Software/systemd/writing-display-managers/ Write Display Managers] and [https://www.freedesktop.org/wiki/Software/systemd/writing-desktop-environments/ Write Desktop Environments].
 
In 2007 there was a [[Releases/FeatureRemovePAMConsole|System-Wide Change]] proposal to remove pam_console, but it wasn't finished. My plan is to continue that work and remove the pam_console module.
 


== Feedback ==
== Feedback ==
Line 44: Line 54:


== Benefit to Fedora ==
== Benefit to Fedora ==
The main benefit is that it reduces the maintenance effort of the package, without reducing the functionality as this should be managed by the HAL ACL. The pam_console module is not included in the [https://github.com/linux-pam/linux-pam Linux-PAM], and it has to be maintained in a [https://pagure.io/pam-redhat side-project]. On top of that, the module is only used in Fedora and some of its derivatives.
By removing pam_console and moving to systemd-logind the distribution would benefit from the multi-seat functionality and higher security levels.


== Scope ==
== Scope ==
* Proposal owners:
* Proposal owners:
# Provide PRs to remove pam_console from the PAM stack of the identified software packages (see Dependencies).
# Provide PRs to remove pam_console from the PAM stack of the identified software packages (see Dependencies).
# Remove pam_console from [https://pagure.io/pam-redhat pam-redhat] project and rebuild Fedora package.
# Remove pam_console from [https://pagure.io/pam-redhat pam-redhat] project and rebuild the PAM package without it.


* Other developers:
* Other developers:
# Identified software package maintainers should review and merge the pam_console removal PRs.
# Identified software package maintainers should review and merge the pam_console removal PRs.


* Release engineering: [https://pagure.io/releng/issues #Releng issue number] <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Release engineering: [https://pagure.io/releng/issue/11223 #11223]
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuild required?  include a link to the releng issue.
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication -->
<!-- TODO: add link -->


* Policies and guidelines: N/A
* Policies and guidelines: N/A
Line 71: Line 78:
== How To Test ==
== How To Test ==
No special hardware or configuration is required to test this change. Once the change is in place, check that the pam_console isn't installed in your system (default location: /lib64/security/pam_console.so) and do a user authentication (i.e. graphical interface, su, ssh, and whatever else comes to your mind).
No special hardware or configuration is required to test this change. Once the change is in place, check that the pam_console isn't installed in your system (default location: /lib64/security/pam_console.so) and do a user authentication (i.e. graphical interface, su, ssh, and whatever else comes to your mind).
<!-- TODO: check once Dependencies is written -->




== User Experience ==
== User Experience ==
<!-- If this change proposal is noticeable by users, how will their experiences change as a result?
Users won't experience any change.
 
This section partially overlaps with the Benefit to Fedora section above. This section should be primarily about the User Experience, written in a way that does not assume deep technical knowledge. More detailed technical description should be left for the Benefit to Fedora section.
 
Describe what Users will see or notice, for example:
  - Packages are compressed more efficiently, making downloads and upgrades faster by 10%.
  - Kerberos tickets can be renewed automatically. Users will now have to authenticate less and become more productive. Credential management improvements mean a user can start their work day with a single sign on and not have to pause for reauthentication during their entire day.
- Libreoffice is one of the most commonly installed applications on Fedora and it is now available by default to help users "hit the ground running".
- Green has been scientifically proven to be the most relaxing color. The move to a default background color of green with green text will result in Fedora users being the most relaxed users of any operating system.
-->


== Dependencies ==
== Dependencies ==
<!-- What other packages (RPMs) depend on this package?  Are there changes outside the developers' control on which completion of this change depends?  In other words, completion of another change owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate?  Other upstream projects like the kernel (if this is not a kernel change)? -->
This change depends on other packages removing pam_console from their PAM stack. I have identified five packages and I have opened a bugzilla for all of them:
 
* xorg-x11-server - https://bugzilla.redhat.com/show_bug.cgi?id=1822209
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* lxdm - https://bugzilla.redhat.com/show_bug.cgi?id=1822227
 
* xorg-x11-xdm - https://bugzilla.redhat.com/show_bug.cgi?id=1822225
<!-- TODO:
* slim - https://bugzilla.redhat.com/show_bug.cgi?id=1822229
    https://bugzilla.redhat.com/show_bug.cgi?id=1822209
* gdm - https://bugzilla.redhat.com/show_bug.cgi?id=1822228
    https://bugzilla.redhat.com/show_bug.cgi?id=1822227
    https://bugzilla.redhat.com/show_bug.cgi?id=1822225 (orphaned and probably it will be retired soon)
    https://bugzilla.redhat.com/show_bug.cgi?id=1822229 (orphaned)
    https://bugzilla.redhat.com/show_bug.cgi?id=1822228
-->


<!-- TODO: there might be some unidentified software packages, I'm opening this System-Wide Change to also identify them -->
From the above list only the first item is a blocker as it requires pam_console to succeed in the authentication. In all other cases it is optional, so not removing the module from their PAM stack will only cause a message printed in the security file.




== Contingency Plan ==
== Contingency Plan ==


<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "Revert the shipped configuration".  Or it might not (e.g. rebuilding a number of dependent packages).  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
* Contingency mechanism: Postpone to the next release.
* Contingency mechanism: (What to do?  Who will do it?) N/A (not a System Wide Change)  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Contingency deadline: Beta freeze.
<!-- When is the last time the contingency mechanism can be put in place?  This will typically be the beta freeze. -->
* Blocks release? No.
* Contingency deadline: N/A (not a System Wide Change)  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
* Blocks release? N/A (not a System Wide Change), Yes/No <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->




== Documentation ==
== Documentation ==
<!-- Is there upstream documentation on this change, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
No documentation.


<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)


== Release Notes ==
== Release Notes ==
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
No need to update the release notes for this change.
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this change, indicate them here.  A link to upstream documentation will often satisfy this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release.
 
Release Notes are not required for initial draft of the Change Proposal but has to be completed by the Change Freeze.  
-->

Latest revision as of 16:36, 2 February 2023

Remove pam_console

Summary

Remove pam_console as it is not enabled by default, can be replaced by systemd and has security issues.

Owner


Current status

Detailed Description

pam_console give users at the physical console additional capabilities when authenticating, and removes those capabilities when the user logs out. The module changes the permissions and ownership of files and devices.

pam_console has some limitations and flaws:

  • Only one user can have those additional capabilities at the same time (no multi-seat)
  • Potential security problems of device file ownership if the PAM conversation ending isn't executed
  • Remove ACL and call revoke() on device nodes for fast-user-switching. This is to prevent the user of the inactive session B spying on the user of the active session A using webcam, sound cards, etc.
  • As of today the module does nothing because one of the configuration files use to define the permissions (50-default.perms) is not installed in the distribution. Other packages may install their own configuration files to specify the permissions, but I haven't found any.

These additional capabilities that pam_console provides are useful to simplify the work for console users. Usually, the permissions are set for devices like the CD/DVD reader, or the disk drives. This functionality is still useful today, and it should be managed with systemd-logind, rather than with a PAM module. This systemd service takes care of user sessions, multi-seat management, device access management... This would increase the security level of the system, and enable multi-seat for the file and device permissions. For more information on systemd-logind implementation refer to the documentation on how to Write Display Managers and Write Desktop Environments.

In 2007 there was a System-Wide Change proposal to remove pam_console, but it wasn't finished. My plan is to continue that work and remove the pam_console module.


Feedback

Benefit to Fedora

By removing pam_console and moving to systemd-logind the distribution would benefit from the multi-seat functionality and higher security levels.

Scope

  • Proposal owners:
  1. Provide PRs to remove pam_console from the PAM stack of the identified software packages (see Dependencies).
  2. Remove pam_console from pam-redhat project and rebuild the PAM package without it.
  • Other developers:
  1. Identified software package maintainers should review and merge the pam_console removal PRs.
  • Policies and guidelines: N/A
  • Trademark approval: N/A
  • Alignment with Objectives: N/A

Upgrade/compatibility impact

No impact is expected.


How To Test

No special hardware or configuration is required to test this change. Once the change is in place, check that the pam_console isn't installed in your system (default location: /lib64/security/pam_console.so) and do a user authentication (i.e. graphical interface, su, ssh, and whatever else comes to your mind).


User Experience

Users won't experience any change.

Dependencies

This change depends on other packages removing pam_console from their PAM stack. I have identified five packages and I have opened a bugzilla for all of them:

From the above list only the first item is a blocker as it requires pam_console to succeed in the authentication. In all other cases it is optional, so not removing the module from their PAM stack will only cause a message printed in the security file.


Contingency Plan

  • Contingency mechanism: Postpone to the next release.
  • Contingency deadline: Beta freeze.
  • Blocks release? No.


Documentation

No documentation.


Release Notes

No need to update the release notes for this change.