|author||Steve Langasek <firstname.lastname@example.org>||2009-08-18 17:28:32 -0700|
|committer||Steve Langasek <email@example.com>||2019-01-08 19:42:00 -0800|
document common-session-noninteractive in the Debian PAM policy
Diffstat (limited to 'debian')
1 files changed, 20 insertions, 5 deletions
diff --git a/debian/local/Debian-PAM-MiniPolicy b/debian/local/Debian-PAM-MiniPolicy
index f3295f32..c7304380 100644
@@ -1,5 +1,6 @@
Author: Ben Collins <firstname.lastname@example.org>
-Modified by: Sam Hartman <email@example.com>
+Modified by: Sam Hartman <firstname.lastname@example.org>,
+ Steve Langasek <email@example.com>
Objective: To document a base set of policies regarding PAM (Pluggable
Authentication Modules) usage in Debian packages.
@@ -23,10 +24,22 @@ Each application that uses PAM also must contain a file in
/etc/pam.d/. This file specifies which PAM modules will be used for
the common PAM functions in that application. There are several notes
concerning what modules to use in this file. Most commonly, this file
-should use the @include directive to include common-auth,
-common-session, common-account and common-password. Under some
-circumstances (such as ftp auth, or auth based on tty) other modules
-will be required.
+should use the @include directive to include common-auth, common-account,
+and common-password, and one of either common-session or
+The selection of common-session or common-session-noninteractive is based
+on whether the service provides "shell-like" interactive capabilities to
+the user (e.g.: login, ssh, gdm) or is a non-interactive session or a
+session mediated by a structured protocol (e.g.: cron, cups, samba, ppp).
+This allows a service to avoid calling some modules, such as
+pam_ck_connector, that only make sense in an interactive context and should
+be avoided otherwise. It is expected that the modules used for
+noninteractive sessions will always be a subset of those used for
+Under some circumstances (such as ftp auth, or auth based on tty) other
+modules will be required.
Here is an example of a PAM configuration file that just includes the common module fragments:
@@ -76,6 +89,8 @@ must be depended on.
Applications need to depend on libpam-runtime (>= 0.76-14) to
guarantee that /etc/pam.d/common-* exist.
+Applications that use common-session-noninteractive must depend
+on libpam-runtime (>= 1.0.1-11) for this file.
The pam_unix.so module allows programs to verify the authentication of the
uid of the calling process without any set bits (uid or gid). NOTE: this