Four security (and related) questions
 

In etc/imapd.conf I see lines like this:But in /etc/pam.d/sshd I see lines like this:While in /etc/pam.d/authconfig I see lines like this:Q1: Is there any standard regarding when to use colon vs. no-colon and full path vs. no-path?

Q2: I know what $ISA is all about - what a hack! - but ISA is not an environmental variable, so where does it come from?

Q3: For those people (like me) who do not have source header files, is there a standard, universal argument to get daemons to dump their default settings? And, if not, wouldn't it be a good idea to add such a standard, universal argument?

Q4: In PAM, what is processed first: auth, account, password, or session? (Note: wouldn't it make sense to pam_warn only the one that's processed first?)

Thanks -- Mark

Hi Mark,

A1. There is no standard because the format of these files is different for each application, it is whatever the developer wants it to be.

A2. It's a variable specifically used by the application, variables don't have to exist globally.

A3. No, there isn't. It may be a good idea but I don't think you'll get every possible development group/individual to agree with you. There are GNU coding standards http://www.gnu.org/prep/standards/ as well, but who's going to enforce adherence ? These are guidelines not laws...

A4. None... only the group that applies to the request is processed

good luck on your journey,

kbp

What kbp said is true, but I'm going to try to expand a bit here:
Applications can define their own file formats. Most file formats are very basic and fairly self-documenting. Part of the reason this is done is because the logic required to parse a config file can be large compared to a small application, so a simpler parser helps keep things down. (This is one of the reason why PAM is done the way it is.)
Yes, $ISA is a pretty elegant way to address this. It's replaced by the pam library with the "Instruction Set Architecture" family.
The man pages for most daemons document the default values. And do you really want to start a daemon with default values, even if you're dumping those values in the process?
Processed first? They're processed depending on the situation. "auth" is processed when authenticating as a user. "account" is for changing account settings. "password" is how the password for the account is updated. And finally, "session" is run for each new created session (X session, shell, etc.)

Thank you gentlemen. May I follow up on one point?Ooops! I should have been more specific. I assume that a unauthorized user (hacker) would first have to log in. Thus, in /etc/pam.d/others, though it would be a good idea to pam_deny all four: auth, account, password, and session, I really only need to pam_warn for auth. Is that sound thinking? Much thanks -- Mark

the chance of getting hacked is very low in linux
and not that high in windows with a decent firewall
as for viruses a big problem alsmost non existant in linux

Regarding paths in directives...

in my system, /etc/pam.d/sshd (in part) shows this:while /etc/pam.d/other (in part) shows this:When should the full path be used and how would I know? Thanks -- Mark

Ummm... The chance is low if I have my system set up properly. Of course, that's what I'm trying to do. Re: firewalls, I'm utterly convinced that a firewall is not needed (in Windows XP clients) if and only if accounts and permissions are properly set up. I hope to prove that contention in the near future with a system that has three users: Worker, Surfer, and Wizard. Worker has no network and has ordinary user permissions. Surfer has a network, but cannot write anything except email and a download directory and cannot install anything. Wizard has administrator privileges but is intended only to install programs, updates, and patches. A login script automatically virus scans everything new in the download directory whenever Wizard logs in. Comments are welcome. Ciao -- Mark

You really don't need to use pam_deny OR pam_warn if you have your authentication set up properly. IMO, pam_warn is mainly useful for debugging as it shows all the values pam is considering. An unauthorized user would only hit auth, and that should be protected by modules like pam_unix.

Honestly, it seems to be a distribution thing. On Ubuntu, the paths are /lib64/security and /lib/security, and PAM automatically handles it. RH-based distros seem to prefer /lib/security/$ISA.

Most of the time, you should be fine with the shortname.

I hesitate to press the point as you obviously are a generous person, but I'm honestly mystified.I understand that the paths will be different in differing distributions, but this is important and I don't understand what's "under the hood".

It seems that /etc/pam.d/sshd somehow knows that, in a directive like "auth required pam_stack.so service=system-auth", pam_stack.so is located at /lib/security/$ISA/pam_stack.so. How does it know that? And if PAM has such a mechanism that somehow knows it, why does /etc/pam.d/other use full paths? Is it that I'm just missing something. Thanks for your time. Ciao -- Mark

http://linux.die.net/man/5/pam.conf
http://osdir.com/ml/linux.pam/2007/msg00401.html