summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
Diffstat (limited to 'debian')
-rw-r--r--debian/changelog3
-rw-r--r--debian/local/Debian-PAM-MiniPolicy34
2 files changed, 7 insertions, 30 deletions
diff --git a/debian/changelog b/debian/changelog
index 63390fc1..509ddd01 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,9 @@ pam (1.0.1-2) UNRELEASED; urgency=low
* Look for cups instead of cupsys as an init script name when restarting
services; thanks to Stephen Olander-Waters for pointing this out.
Closes: #492977.
+ * Update the Debian PAM mini-policy to remove references to the
+ long-obsolete pam_pwdb, and clarify the relationship between pam_stack
+ and @include.
-- Steve Langasek <vorlon@debian.org> Wed, 30 Jul 2008 00:55:10 -0700
diff --git a/debian/local/Debian-PAM-MiniPolicy b/debian/local/Debian-PAM-MiniPolicy
index cfbfd471..f3295f32 100644
--- a/debian/local/Debian-PAM-MiniPolicy
+++ b/debian/local/Debian-PAM-MiniPolicy
@@ -57,41 +57,15 @@ to reference the basename (eg. "pam_unix.so"). This will ensure that the
program continues to work even if the module location changes, since
libpam itself will resolve the location.
-Under no circumstances should any program in Debian use the pam_pwdb.so
-module by default. Instead the pam_unix.so module should be used. Most
-programs with RedHat support/default files will reference pam_pwdb.so in
-their example files. Do not use this. There are several problems with
-regard to pam_pwdb.so:
-
- 1) It attempts to reimplement glibc's NSS code. For example, if your
- program uses pam_pwdb.so, and the user changes /etc/nsswitch.conf to use
- NIS, NIS+, or LDAP, then your program will fail to work unless the user
- also knows to edit /etc/pwdb.conf (which is not necessary for
- pam_unix.so). In the case of LDAP, the program would become absolutely
- useless until the user modifies the pam.d file themselves to use
- pam_unix.so.
-
- 2) It adds to the layer of glibc function calls making it harder to
- debug problems. Because libpwdb masks glibc native calls, it requires
- being able to debug libpwdb, libpam, libc and the offending program.
-
-Note that pam_unix.so takes the same module arguments as pam_pwdb.so, so
-you can just replace the references. If you are not sure if the pam.d
-files is correctly setup, please feel free to email it to me, and I will
-glance it over.
-
-UPDATE: libpwdb and this libpam-pwdb have been removed from Debian as of
-Woody. So even if you decided to use pam_pwdb, it will be broken, so HAHA
-:)
-
-You should also not use the pam_stack module in the pam config file.
+You should not use the pam_stack module in the pam config file.
It's not currently in Debian so it won't work. While I cannot stop
someone from packaging pam_stack for Debian, I will try to convince
them that it is not the direction we want. Pam_stack (among other
faults) uses different pam handles for each step in the process--the
handle used for session management is not the same as the handle used
-for authentication. This breaks several modules. We will have an
-alternate solution for shared PAM configuration across modules.
+for authentication. This breaks several modules. We have an alternate
+solution for shared PAM configuration across modules, in the form of
+the @include directive.
Currently libpam-modules is in the base setup, so it's dependency is not