From: Timothy Sample <samplet@ngyro.com>
To: Danny Milosavljevic <dannym@scratchpost.org>
Cc: 33916-done@debbugs.gnu.org
Subject: [bug#33916] [PATCH 0/4] Make GDM usable
Date: Sun, 30 Dec 2018 09:42:23 -0500 [thread overview]
Message-ID: <877efrm5yo.fsf@ngyro.com> (raw)
In-Reply-To: <20181230103046.5625831f@scratchpost.org> (Danny Milosavljevic's message of "Sun, 30 Dec 2018 10:30:46 +0100")
Hi Danny,
Danny Milosavljevic <dannym@scratchpost.org> writes:
> Hi Timothy,
>
> thanks!
>
> I've pushed this series to master as:
>
> 92deb5cc920fcc7617302986180f1abee5fd2b26
> 89c8656200a21485fd50fe4d277792d7d56c63e0
> de409e82261eb147b6614aef8731d795ca664ef0
> 48c8d067d4ded776939cda6f9c63c25b38ba77fc
Thank you!
> I've taken a look at gnu/system/pam.scm where unix-pam-service is defined,
> and it just does "auth sufficient pam_rootok.so". This means that root
> will be allowed to log in without password (which is what is documented
> there, too).
>
> But how come it (or gdm) then allows any user?
More specifically, it means that root is authorized to perform whatever
action PAM is being asked about without providing a password. In this
case, “root” is GDM itself, and the action is “log in as so-and-so”.
Hence, PAM says, “sure thing, root, log in as whoever you like!”
The part I’m not certain about is why GDM is running as root. My
current understanding is that it is running with effective UID gdm and
real UID root. I remember reading in the docs that “pam_rootok.so” only
cares about real UID [1].
> Fedora does it differently:
>
> See https://fedoraproject.org/wiki/Enabling_Root_User_For_GNOME_Display_Manager
>
>> auth required pam_succeed_if.so user != root quiet
That looks better. That would be easy to add if people find it useful.
(I wouldn’t bother with it, but if Fedora does it, then it must be
popular enough.)
[1] http://www.linux-pam.org/Linux-PAM-html/sag-pam_rootok.html
-- Tim
prev parent reply other threads:[~2018-12-30 14:43 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-30 2:37 [bug#33916] [PATCH 0/4] Make GDM usable Timothy Sample
2018-12-30 2:42 ` [bug#33916] [PATCH 1/4] gnu: gdm: Pass XDG_DATA_DIRS into session environment Timothy Sample
2018-12-30 2:42 ` [bug#33916] [PATCH 2/4] gnu: gdm: Change locale settings file Timothy Sample
2018-12-30 2:42 ` [bug#33916] [PATCH 3/4] services: gdm: Remove 'allow-root?' option Timothy Sample
2018-12-30 2:42 ` [bug#33916] [PATCH 4/4] services: gdm: Enable auto-start Timothy Sample
2018-12-30 9:30 ` bug#33916: [PATCH 0/4] Make GDM usable Danny Milosavljevic
2018-12-30 14:42 ` Timothy Sample [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877efrm5yo.fsf@ngyro.com \
--to=samplet@ngyro.com \
--cc=33916-done@debbugs.gnu.org \
--cc=dannym@scratchpost.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).