Bug 1257951

Summary: [RFE]enhancement req: Add a support for local modification of pam.d/ files that won't be destroyed by authconfig
Product: Red Hat Enterprise Linux 7 Reporter: dpecka
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: low Docs Contact:
Priority: unspecified    
Version: 7.3CC: pkis
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-31 08:51:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description dpecka 2015-08-28 13:03:55 UTC 
Hello redhat,

I'd like to raise this enhancement request that redhat's PAM implementation supports a local tweaks that won't get overridden by authconfig.

Some chages and tweaks can't be done using pam-config or authconfig - for example proper setting of umask per groups/users eg:

session [default=1 success=ignore] pam_succeed_if.so quiet user ingroup secret-agents
session optional pam_umask.so umask=0077
session [default=1 success=ignore] pam_succeed_if.so quiet uid eq 1005
session optional pam_umask.so umask=0002

^^ this sets an umask 0077 for members of group "secret-agents" and umask 0002 for user with uid 1005 ..

I propose supporting pam.d/system-auth-local, that will be included (sourced) to system-auth (the most important pam.d/ login-related file sourced to the very most of other modules) and that will be by default empty and not overridden by authconfig/pam-config ...

Considering to support more files with suffix -local seems reasonable to me.

Regards, daniel
Comment 2 Tomas Mraz 2015-08-31 08:51:04 UTC 
Authconfig supports different way of local modification (by using symlinks) and I do not think we want to complicate the pam configuration files even more.
Comment 3 dpecka 2015-08-31 14:49:50 UTC 
(In reply to Tomas Mraz from comment #2)
> Authconfig supports different way of local modification (by using symlinks)
> and I do not think we want to complicate the pam configuration files even
> more.

Can you elaborate that idea about symlinks and authconfig not overriding whatever your setup is ?

I don't see anything complicated on file pam.d/auth-config-local with just a commented out header stating out: here you can put your additional directives my dear sysadmin ..

regards, daniel
Comment 4 Tomas Mraz 2015-08-31 14:59:45 UTC 
See the system-auth-ac(5) manual page for details.