[bug#63383] Fwd: PAM may cause issues on system updates

[bug#63383] Fwd: PAM may cause issues on system updates

[Felix Lechner via Guix-patches via]

[an earlier version was sent to the wrong bug]

Hi,

There is another bug that was probably a reason why some folks
hesitated to accept this patch:

  https://issues.guix.gnu.org/32182

In that bug, Ludo' proposed to refer from Shepherd services to PAM
services by absolute paths. I believe it is a viable and worthy
solution.

(By contrast, this bug makes PAM services refer to PAM modules by
absolute paths.)

Another solution could be to make all PAM modules and services Guile
scripts. While admittedly a more comprehensive effort, I believe such
an upgrade might be popular in the broader community, which is
generally tired of PAM. The only prerequisite to execute those scripts
would be a working copy of GNU Guile (i.e. no libpam or libc).

Kind regards
Felix

bug#63383: [PATCH 0/4] Various PAM improvements

[Ludovic Courtès]

Hi,

Sorry for the long delay!

Felix Lechner <felix.lechner@lease-up.com> skribis:

> There is another bug that was probably a reason why some folks
> hesitated to accept this patch:
>
>   https://issues.guix.gnu.org/32182
>
> In that bug, Ludo' proposed to refer from Shepherd services to PAM
> services by absolute paths. I believe it is a viable and worthy
> solution.
>
> (By contrast, this bug makes PAM services refer to PAM modules by
> absolute paths.)

Right.  For this reason, I’m dropping the patch that adds more absolute
file names for all modules shipped with ‘linux-pam’ but keeping the rest.

> Another solution could be to make all PAM modules and services Guile
> scripts. While admittedly a more comprehensive effort, I believe such
> an upgrade might be popular in the broader community, which is
> generally tired of PAM. The only prerequisite to execute those scripts
> would be a working copy of GNU Guile (i.e. no libpam or libc).

Hmm are you suggesting a PAM rewrite in Guile?

Thanks,
Ludo’.

[bug#63383] [PATCH 0/4] Various PAM improvements

[Felix Lechner via Guix-patches via]

Hi Ludo'

On Tue, Aug 15, 2023 at 1:19 PM Ludovic Courtès <ludo@gnu.org> wrote:
>
> I’m dropping the patch that adds more absolute
> file names for all modules shipped with ‘linux-pam’ but keeping the rest.

Thanks for doing that. It was the right thing to do.

> Hmm are you suggesting a PAM rewrite in Guile?

Thanks for asking! I rewrote PAM in Guile some time ago [1] but it
still uses a shared library to start Guile via the good old "tortoise"
interface. [2] Upon reflection, I am not sure it would shelter us from
all potential compatibility issues on upgrades, including upgrades of
Guile.

Perhaps it would be best for Guix to adopt a fully script-driven
approach similar to OpenBSD. [3] Maxim may have alluded to it in a
correspondence on this topic elsewhere.

Kind regards
Felix

[1] https://codeberg.org/lechner/guile-pam
[2] https://www.gnu.org/software/guile/docs/guile-tut/tutorial.html#Tortoise
[3] https://blog.lambda.cx/posts/how-bsd-authentication-works/