No edit summary |
(Add trackers) |
||
(13 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
= Remove pam_console = | = Remove pam_console = | ||
== Summary == | == Summary == | ||
Remove pam_console as it is | Remove pam_console as it is not enabled by default, can be replaced by systemd and has security issues. | ||
== Owner == | == Owner == | ||
Line 15: | Line 13: | ||
== Current status == | == Current status == | ||
[[Category: | [[Category:ChangeAcceptedF39]] | ||
<!-- TODO: --> | <!-- TODO: --> | ||
<!-- When your change proposal page is completed and ready for review and announcement --> | <!-- When your change proposal page is completed and ready for review and announcement --> | ||
Line 33: | Line 31: | ||
ON_QA -> change is fully code complete | ON_QA -> change is fully code complete | ||
--> | --> | ||
* FESCo issue: | * [https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/3MV5G32UF2TQ3U7JZXPRLQWCQUPR7QT2/ devel thread] | ||
* Tracker bug: | * FESCo issue: [https://pagure.io/fesco/issue/2945 #2945] | ||
* Release notes tracker: | * Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=2166692 #2166692] | ||
* Release notes tracker: [https://pagure.io/fedora-docs/release-notes/issue/965 #965] | |||
== Detailed Description == | == Detailed Description == | ||
pam_console give users at the physical console additional capabilities when authenticating, and removes those capabilities when the user logs out. The module changes the permissions and ownership of files and devices. | |||
pam_console has some limitations and flaws: | |||
* Only one user can have those additional capabilities at the same time (no multi-seat) | |||
* Potential security problems of device file ownership if the PAM conversation ending isn't executed | |||
* Remove ACL and call revoke() on device nodes for fast-user-switching. This is to prevent the user of the inactive session B spying on the user of the active session A using webcam, sound cards, etc. | |||
* As of today the module does nothing because one of the configuration files use to define the permissions (50-default.perms) is not installed in the distribution. Other packages may install their own configuration files to specify the permissions, but I haven't found any. | |||
These additional capabilities that pam_console provides are useful to simplify the work for console users. Usually, the permissions are set for devices like the CD/DVD reader, or the disk drives. This functionality is still useful today, and it should be managed with systemd-logind, rather than with a PAM module. This systemd service takes care of user sessions, multi-seat management, device access management... This would increase the security level of the system, and enable multi-seat for the file and device permissions. For more information on systemd-logind implementation refer to the documentation on how to [https://www.freedesktop.org/wiki/Software/systemd/writing-display-managers/ Write Display Managers] and [https://www.freedesktop.org/wiki/Software/systemd/writing-desktop-environments/ Write Desktop Environments]. | |||
In 2007 there was a [[Releases/FeatureRemovePAMConsole|System-Wide Change]] proposal to remove pam_console, but it wasn't finished. My plan is to continue that work and remove the pam_console module. | |||
== Feedback == | == Feedback == | ||
Line 44: | Line 54: | ||
== Benefit to Fedora == | == Benefit to Fedora == | ||
By removing pam_console and moving to systemd-logind the distribution would benefit from the multi-seat functionality and higher security levels. | |||
== Scope == | == Scope == | ||
* Proposal owners: | * Proposal owners: | ||
# Provide PRs to remove pam_console from the PAM stack of the identified software packages (see Dependencies). | # Provide PRs to remove pam_console from the PAM stack of the identified software packages (see Dependencies). | ||
# Remove pam_console from [https://pagure.io/pam-redhat pam-redhat] project and rebuild | # Remove pam_console from [https://pagure.io/pam-redhat pam-redhat] project and rebuild the PAM package without it. | ||
* Other developers: | * Other developers: | ||
# Identified software package maintainers should review and merge the pam_console removal PRs. | # Identified software package maintainers should review and merge the pam_console removal PRs. | ||
* Release engineering: [https://pagure.io/releng/ | * Release engineering: [https://pagure.io/releng/issue/11223 #11223] | ||
* Policies and guidelines: N/A | * Policies and guidelines: N/A | ||
Line 71: | Line 78: | ||
== How To Test == | == How To Test == | ||
No special hardware or configuration is required to test this change. Once the change is in place, check that the pam_console isn't installed in your system (default location: /lib64/security/pam_console.so) and do a user authentication (i.e. graphical interface, su, ssh, and whatever else comes to your mind). | No special hardware or configuration is required to test this change. Once the change is in place, check that the pam_console isn't installed in your system (default location: /lib64/security/pam_console.so) and do a user authentication (i.e. graphical interface, su, ssh, and whatever else comes to your mind). | ||
== User Experience == | == User Experience == | ||
Users won't experience any change. | |||
== Dependencies == | == Dependencies == | ||
This change depends on other packages removing pam_console from their PAM stack. I have identified five packages and I have opened a bugzilla for all of them: | |||
* xorg-x11-server - https://bugzilla.redhat.com/show_bug.cgi?id=1822209 | |||
* lxdm - https://bugzilla.redhat.com/show_bug.cgi?id=1822227 | |||
* xorg-x11-xdm - https://bugzilla.redhat.com/show_bug.cgi?id=1822225 | |||
* slim - https://bugzilla.redhat.com/show_bug.cgi?id=1822229 | |||
* gdm - https://bugzilla.redhat.com/show_bug.cgi?id=1822228 | |||
From the above list only the first item is a blocker as it requires pam_console to succeed in the authentication. In all other cases it is optional, so not removing the module from their PAM stack will only cause a message printed in the security file. | |||
== Contingency Plan == | == Contingency Plan == | ||
* Contingency mechanism: Postpone to the next release. | |||
* Contingency mechanism: | * Contingency deadline: Beta freeze. | ||
* Blocks release? No. | |||
* Contingency deadline: | |||
* Blocks release? | |||
== Documentation == | == Documentation == | ||
No documentation. | |||
== Release Notes == | == Release Notes == | ||
No need to update the release notes for this change. | |||
Latest revision as of 16:36, 2 February 2023
Remove pam_console
Summary
Remove pam_console as it is not enabled by default, can be replaced by systemd and has security issues.
Owner
- Name: Iker Pedrosa
- Email: ipedrosa@redhat.com
Current status
- Targeted release: Fedora Linux 39
- Last updated: 2023-02-02
- devel thread
- FESCo issue: #2945
- Tracker bug: #2166692
- Release notes tracker: #965
Detailed Description
pam_console give users at the physical console additional capabilities when authenticating, and removes those capabilities when the user logs out. The module changes the permissions and ownership of files and devices.
pam_console has some limitations and flaws:
- Only one user can have those additional capabilities at the same time (no multi-seat)
- Potential security problems of device file ownership if the PAM conversation ending isn't executed
- Remove ACL and call revoke() on device nodes for fast-user-switching. This is to prevent the user of the inactive session B spying on the user of the active session A using webcam, sound cards, etc.
- As of today the module does nothing because one of the configuration files use to define the permissions (50-default.perms) is not installed in the distribution. Other packages may install their own configuration files to specify the permissions, but I haven't found any.
These additional capabilities that pam_console provides are useful to simplify the work for console users. Usually, the permissions are set for devices like the CD/DVD reader, or the disk drives. This functionality is still useful today, and it should be managed with systemd-logind, rather than with a PAM module. This systemd service takes care of user sessions, multi-seat management, device access management... This would increase the security level of the system, and enable multi-seat for the file and device permissions. For more information on systemd-logind implementation refer to the documentation on how to Write Display Managers and Write Desktop Environments.
In 2007 there was a System-Wide Change proposal to remove pam_console, but it wasn't finished. My plan is to continue that work and remove the pam_console module.
Feedback
Benefit to Fedora
By removing pam_console and moving to systemd-logind the distribution would benefit from the multi-seat functionality and higher security levels.
Scope
- Proposal owners:
- Provide PRs to remove pam_console from the PAM stack of the identified software packages (see Dependencies).
- Remove pam_console from pam-redhat project and rebuild the PAM package without it.
- Other developers:
- Identified software package maintainers should review and merge the pam_console removal PRs.
- Release engineering: #11223
- Policies and guidelines: N/A
- Trademark approval: N/A
- Alignment with Objectives: N/A
Upgrade/compatibility impact
No impact is expected.
How To Test
No special hardware or configuration is required to test this change. Once the change is in place, check that the pam_console isn't installed in your system (default location: /lib64/security/pam_console.so) and do a user authentication (i.e. graphical interface, su, ssh, and whatever else comes to your mind).
User Experience
Users won't experience any change.
Dependencies
This change depends on other packages removing pam_console from their PAM stack. I have identified five packages and I have opened a bugzilla for all of them:
- xorg-x11-server - https://bugzilla.redhat.com/show_bug.cgi?id=1822209
- lxdm - https://bugzilla.redhat.com/show_bug.cgi?id=1822227
- xorg-x11-xdm - https://bugzilla.redhat.com/show_bug.cgi?id=1822225
- slim - https://bugzilla.redhat.com/show_bug.cgi?id=1822229
- gdm - https://bugzilla.redhat.com/show_bug.cgi?id=1822228
From the above list only the first item is a blocker as it requires pam_console to succeed in the authentication. In all other cases it is optional, so not removing the module from their PAM stack will only cause a message printed in the security file.
Contingency Plan
- Contingency mechanism: Postpone to the next release.
- Contingency deadline: Beta freeze.
- Blocks release? No.
Documentation
No documentation.
Release Notes
No need to update the release notes for this change.