Bug 1257951 - [RFE]enhancement req: Add a support for local modification of pam.d/ files that won't be destroyed by authconfig
[RFE]enhancement req: Add a support for local modification of pam.d/ files th...
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pam (Show other bugs)
7.3
Unspecified Unspecified
unspecified Severity low
: rc
: ---
Assigned To: Tomas Mraz
BaseOS QE Security Team
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-28 09:03 EDT by dpecka
Modified: 2015-08-31 10:59 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-31 04:51:04 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description dpecka 2015-08-28 09:03:55 EDT
Hello redhat,

I'd like to raise this enhancement request that redhat's PAM implementation supports a local tweaks that won't get overridden by authconfig.

Some chages and tweaks can't be done using pam-config or authconfig - for example proper setting of umask per groups/users eg:

session [default=1 success=ignore] pam_succeed_if.so quiet user ingroup secret-agents
session optional pam_umask.so umask=0077
session [default=1 success=ignore] pam_succeed_if.so quiet uid eq 1005
session optional pam_umask.so umask=0002

^^ this sets an umask 0077 for members of group "secret-agents" and umask 0002 for user with uid 1005 ..

I propose supporting pam.d/system-auth-local, that will be included (sourced) to system-auth (the most important pam.d/ login-related file sourced to the very most of other modules) and that will be by default empty and not overridden by authconfig/pam-config ...

Considering to support more files with suffix -local seems reasonable to me.

Regards, daniel
Comment 2 Tomas Mraz 2015-08-31 04:51:04 EDT
Authconfig supports different way of local modification (by using symlinks) and I do not think we want to complicate the pam configuration files even more.
Comment 3 dpecka 2015-08-31 10:49:50 EDT
(In reply to Tomas Mraz from comment #2)
> Authconfig supports different way of local modification (by using symlinks)
> and I do not think we want to complicate the pam configuration files even
> more.

Can you elaborate that idea about symlinks and authconfig not overriding whatever your setup is ?

I don't see anything complicated on file pam.d/auth-config-local with just a commented out header stating out: here you can put your additional directives my dear sysadmin ..

regards, daniel
Comment 4 Tomas Mraz 2015-08-31 10:59:45 EDT
See the system-auth-ac(5) manual page for details.

Note You need to log in before you can comment on or make changes to this bug.