On Po, 2014-03-10 at 16:01 +0400, Dmitry V. Levin wrote:
> On Fri, Mar 07, 2014 at 09:41:33AM +0100, Tomas Mraz wrote:
> > On Pá, 2014-03-07 at 04:22 +0400, Dmitry V. Levin wrote:
> > > On Thu, Mar 06, 2014 at 02:06:01PM +0100, Tomas Mraz wrote:
> > > > On Čt, 2014-03-06 at 16:30 +0400, Dmitry V. Levin wrote:
> > > > > On Thu, Mar 06, 2014 at 12:08:42PM +0100, Tomas Mraz wrote:
> > > > > > Due to domain mapping with SSSD and Winbind the username
that is typed
> > > > > > by the user at the login prompt might not match what
libselinux expects
> > > > > > when looking for the matching SELinux user. The attached
patch
> > > > > > canonicalizes the user name through the
pam_modutil_getpwnam. Please see
> > > > > > also the discussion here:
> > > > > >
https://bugzilla.redhat.com/show_bug.cgi?id=1071010
> > > > > >
> > > > > > OK to commit?
> > > > >
> > > > > Why this kind of canonicalization should be performed by a pam
module,
> > > > > pam_selinux in this particular case? There are other
possibilities that
> > > > > look more reasonable, e.g. by pam application or by libpam
itself.
> > > >
> > > > I don't think canonicalization of PAM_USER item in libpam or
login
> > > > application is appropriate. It is not always desirable to have the
user
> > > > name canonicalized. The only remaining place where the
canonicalization
> > > > would be possible is libselinux but there is not much difference in
my
> > > > opinion whether it is done in libselinux or pam_selinux.
> > >
> > > Are you sure this issue will not arise in other pam modules?
> > > The original pam_mkhomedir bug report in
> > >
https://fedorahosted.org/linux-pam/ticket/22 was also related to some
SSSD
> > > aliasing/canonicalization issue.
> >
> > If we really want to have canonical user name as a PAM item, we should
> > add a new item for it. PAM_USER in general does not even have to be
> > present among the system accounts in some cases. I'd prefer not mixing
> > these two things together.
>
> Introduction of a new PAM item would require patching of all login
> applications, and I don't see why login applications should be explicitly
> aware of such intricate authentication complexities as username aliasing
> and canonicalization.
Why would it? The PAM_CANON_USER or whatever the item would be called
could be set by libpam when PAM_USER is set.
Setting PAM_CANON_USER as a side effect of setting PAM_USER?
Somewhat unusual for pam_set_item, but quite possible.
--
ldv