[Bug 2010528] New: Review Request: tcb - Implementation of the tcb password shadowing scheme
https://bugzilla.redhat.com/show_bug.cgi?id=2010528
Bug ID: 2010528 Summary: Review Request: tcb - Implementation of the tcb password shadowing scheme Product: Fedora Version: rawhide Hardware: All OS: Linux Status: NEW Component: Package Review Severity: medium Priority: medium Assignee: nobody@fedoraproject.org Reporter: besser82@fedoraproject.org QA Contact: extras-qa@fedoraproject.org CC: package-review@lists.fedoraproject.org Target Milestone: --- Classification: Fedora
Description:
The tcb package consists of three components: pam_tcb, libnss_tcb, and libtcb. pam_tcb is a PAM module which supersedes pam_unix and pam_pwdb. It also implements the tcb password shadowing scheme (see tcb(5) for details). The tcb scheme allows many core system utilities (passwd(1) being the primary example) to operate with little privilege. libnss_tcb is the accompanying NSS module. libtcb contains code shared by the PAM and NSS modules and is also used by programs from the shadow-utils package.
Koji Builds:
https://koji.fedoraproject.org/koji/taskinfo?taskID=76705377
Issues:
fedora-review shows no obvious issues.
FAS-User:
besser82
Urls:
Spec URL: https://pagure.io/besser82/package-review/raw/master/f/tcb.spec SRPM URL: https://pagure.io/besser82/package-review/raw/master/f/tcb-1.2-0.1.fc36.src....
Additional information:
This package is intended as a base for (likely to happen) future system-wide changes to Fedora. As the functionality, this package provides, is will be needed for the system core, the (quite many small) sub-packages have intentionally been crafted for needing as few (pre-)dependencies each as possible in order to be installable very early in the process of system-upgrades and/or kickstarts. For that reason the main-library package ships no components that require anything but glibc to be available, since otherwise hard to resolve dependency cycles with unpredictable behaviour will arise.
Thanks for review in advance!
https://bugzilla.redhat.com/show_bug.cgi?id=2010528
Björn 'besser82' Esser besser82@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Alias| |tcb Doc Type|--- |If docs needed, set a value
https://bugzilla.redhat.com/show_bug.cgi?id=2010528
--- Comment #1 from Björn 'besser82' Esser besser82@fedoraproject.org --- === Updated package ===
Changelog: * Mon Oct 04 2021 Björn Esser besser82@fedoraproject.org - 1.2-0.2 - Remove archful requirements in noarch packages
Koji Builds:
https://koji.fedoraproject.org/koji/taskinfo?taskID=76707012
Urls:
Spec URL: https://pagure.io/besser82/package-review/raw/master/f/tcb.spec SRPM URL: https://pagure.io/besser82/package-review/raw/master/f/tcb-1.2-0.2.fc36.src....
https://bugzilla.redhat.com/show_bug.cgi?id=2010528
Björn 'besser82' Esser besser82@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Fedora Koji | |koji/taskinfo?taskID=767070 | |12
https://bugzilla.redhat.com/show_bug.cgi?id=2010528
Iker Pedrosa ipedrosa@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |ipedrosa@redhat.com
--- Comment #2 from Iker Pedrosa ipedrosa@redhat.com --- I don't know if I understood it correctly so I'm asking. What do you intend to do with "replace_pam_unix"?
https://bugzilla.redhat.com/show_bug.cgi?id=2010528
--- Comment #3 from Björn 'besser82' Esser besser82@fedoraproject.org --- (In reply to Iker Pedrosa from comment #2)
I don't know if I understood it correctly so I'm asking. What do you intend to do with "replace_pam_unix"?
I have some plans to propose a SWC to replace the pam_unix module with the pam_tcb at some time in the future. For that reason I have added this %bcond, so I can do local package builds (rpmbuild -ba tcb.spec --with replace_pam_unix) reflecting that change for use in a VM for testing purposes, without the needed for major edits to the spec file.
Basically that conditional just adds compatibility symlinks for pam_unix_*.so -> pam_tcb.so to the list of packaged files.
https://bugzilla.redhat.com/show_bug.cgi?id=2010528
--- Comment #4 from Iker Pedrosa ipedrosa@redhat.com --- If you are only planning to use it for your testing that's fine, but I think it's dangerous to do that in production environments.
By the way, what are your plans for replacing pam_tcb in pam stack files? I think that authconfig should be aware of it and have some configuration to change between one and the other. And at some point in the future we could change the default in authconfig from pam_unix to pam_tcb. Just a little gossip, there's an authconfig SWC in draft to change pam stack files ownership to this package.
https://bugzilla.redhat.com/show_bug.cgi?id=2010528
--- Comment #5 from Björn 'besser82' Esser besser82@fedoraproject.org --- === Updated package ===
Changelog: * Tue Oct 05 2021 Björn Esser besser82@fedoraproject.org - 1.2-0.3 - Add soft-static group allocation preferring the gids as assigned by FPC - Merge the filesystem and sysusers sub-packages into common sub-package
Koji Builds:
https://koji.fedoraproject.org/koji/taskinfo?taskID=76877498
Urls:
Spec URL: https://pagure.io/besser82/package-review/raw/master/f/tcb.spec SRPM URL: https://pagure.io/besser82/package-review/raw/master/f/tcb-1.2-0.3.fc36.src....
https://bugzilla.redhat.com/show_bug.cgi?id=2010528
--- Comment #6 from Björn 'besser82' Esser besser82@fedoraproject.org --- (In reply to Iker Pedrosa from comment #4)
If you are only planning to use it for your testing that's fine, but I think it's dangerous to do that in production environments.
There can't be any harm, but the pam-tcb package intentionally not being installable when replace_pam_unix is enabled without forcing rpm manually to explictly ignore several arising conflicts.
By the way, what are your plans for replacing pam_tcb in pam stack files? I think that authconfig should be aware of it and have some configuration to change between one and the other. And at some point in the future we could change the default in authconfig from pam_unix to pam_tcb. Just a little gossip, there's an authconfig SWC in draft to change pam stack files ownership to this package.
Using pam_tcb in the stack files is one part of the change as I have it in mind. I know there are changes needed to authconfig as well, and I think, it's a good idea to coordinate between the different changes and discuss their extends to be as little disruptive as possible.
https://bugzilla.redhat.com/show_bug.cgi?id=2010528
--- Comment #7 from Björn 'besser82' Esser besser82@fedoraproject.org --- For a better understanding: pam_tcb is a leightweight, yet fully mature - well tested for over 20 years - replacement for pam_unix, offerring all its capabilities, but support for NIS(+).
package-review@lists.fedoraproject.org
-
bugzilla@redhat.com