Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
While in /etc/pam.d/authconfig I see lines like this:
Quote:
auth sufficient /lib/security/$ISA/pam_rootok.so
Q1: Is there any standard regarding when to use colon vs. no-colon and full path vs. no-path?
Q2: I know what $ISA is all about - what a hack! - but ISA is not an environmental variable, so where does it come from?
Q3: For those people (like me) who do not have source header files, is there a standard, universal argument to get daemons to dump their default settings? And, if not, wouldn't it be a good idea to add such a standard, universal argument?
Q4: In PAM, what is processed first: auth, account, password, or session? (Note: wouldn't it make sense to pam_warn only the one that's processed first?)
A1. There is no standard because the format of these files is different for each application, it is whatever the developer wants it to be.
A2. It's a variable specifically used by the application, variables don't have to exist globally.
A3. No, there isn't. It may be a good idea but I don't think you'll get every possible development group/individual to agree with you. There are GNU coding standards http://www.gnu.org/prep/standards/ as well, but who's going to enforce adherence ? These are guidelines not laws...
A4. None... only the group that applies to the request is processed
What kbp said is true, but I'm going to try to expand a bit here:
Quote:
Originally Posted by MarkFilipak
Q1: Is there any standard regarding when to use colon vs. no-colon and full path vs. no-path?
Applications can define their own file formats. Most file formats are very basic and fairly self-documenting. Part of the reason this is done is because the logic required to parse a config file can be large compared to a small application, so a simpler parser helps keep things down. (This is one of the reason why PAM is done the way it is.)
Quote:
Q2: I know what $ISA is all about - what a hack! - but ISA is not an environmental variable, so where does it come from?
Yes, $ISA is a pretty elegant way to address this. It's replaced by the pam library with the "Instruction Set Architecture" family.
Quote:
Q3: For those people (like me) who do not have source header files, is there a standard, universal argument to get daemons to dump their default settings? And, if not, wouldn't it be a good idea to add such a standard, universal argument?
The man pages for most daemons document the default values. And do you really want to start a daemon with default values, even if you're dumping those values in the process?
Quote:
Q4: In PAM, what is processed first: auth, account, password, or session? (Note: wouldn't it make sense to pam_warn only the one that's processed first?)
Processed first? They're processed depending on the situation. "auth" is processed when authenticating as a user. "account" is for changing account settings. "password" is how the password for the account is updated. And finally, "session" is run for each new created session (X session, shell, etc.)
Thank you gentlemen. May I follow up on one point?
Quote:
Originally Posted by Matir
Quote:
Q4: In PAM, what is processed first: auth, account, password, or session? (Note: wouldn't it make sense to pam_warn only the one that's processed first?)
Processed first? They're processed depending on the situation. "auth" is processed when authenticating as a user. "account" is for changing account settings. "password" is how the password for the account is updated. And finally, "session" is run for each new created session (X session, shell, etc.)
Ooops! I should have been more specific. I assume that a unauthorized user (hacker) would first have to log in. Thus, in /etc/pam.d/others, though it would be a good idea to pam_deny all four: auth, account, password, and session, I really only need to pam_warn for auth. Is that sound thinking? Much thanks -- Mark
Last edited by MarkFilipak; 10-01-2009 at 07:50 PM.
Distribution: M$ Windows / Debian / Ubuntu / DSL / many others
Posts: 2,339
Rep:
the chance of getting hacked is very low in linux
and not that high in windows with a decent firewall
as for viruses a big problem alsmost non existant in linux
the chance of getting hacked is very low in linux and not that high in windows with a decent firewall as for viruses a big problem alsmost non existant in linux
Ummm... The chance is low if I have my system set up properly. Of course, that's what I'm trying to do. Re: firewalls, I'm utterly convinced that a firewall is not needed (in Windows XP clients) if and only if accounts and permissions are properly set up. I hope to prove that contention in the near future with a system that has three users: Worker, Surfer, and Wizard. Worker has no network and has ordinary user permissions. Surfer has a network, but cannot write anything except email and a download directory and cannot install anything. Wizard has administrator privileges but is intended only to install programs, updates, and patches. A login script automatically virus scans everything new in the download directory whenever Wizard logs in. Comments are welcome. Ciao -- Mark
Thank you gentlemen. May I follow up on one point?Ooops! I should have been more specific. I assume that a unauthorized user (hacker) would first have to log in. Thus, in /etc/pam.d/others, though it would be a good idea to pam_deny all four: auth, account, password, and session, I really only need to pam_warn for auth. Is that sound thinking? Much thanks -- Mark
You really don't need to use pam_deny OR pam_warn if you have your authentication set up properly. IMO, pam_warn is mainly useful for debugging as it shows all the values pam is considering. An unauthorized user would only hit auth, and that should be protected by modules like pam_unix.
When should the full path be used and how would I know? Thanks -- Mark
Honestly, it seems to be a distribution thing. On Ubuntu, the paths are /lib64/security and /lib/security, and PAM automatically handles it. RH-based distros seem to prefer /lib/security/$ISA.
Most of the time, you should be fine with the shortname.
I hesitate to press the point as you obviously are a generous person, but I'm honestly mystified.
Quote:
Originally Posted by Matir
Honestly, it seems to be a distribution thing. On Ubuntu, the paths are /lib64/security and /lib/security, and PAM automatically handles it. RH-based distros seem to prefer /lib/security/$ISA.
I understand that the paths will be different in differing distributions, but this is important and I don't understand what's "under the hood".
It seems that /etc/pam.d/sshd somehow knows that, in a directive like "auth required pam_stack.so service=system-auth", pam_stack.so is located at /lib/security/$ISA/pam_stack.so. How does it know that? And if PAM has such a mechanism that somehow knows it, why does /etc/pam.d/other use full paths? Is it that I'm just missing something. Thanks for your time. Ciao -- Mark
module-path is either the full filename of the PAM to be used by the application (it begins with a '/'), or a relative pathname from the default module location: /lib/security/ or /lib64/security/, depending on the architecture.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.