From Fedora Project Wiki
No edit summary
No edit summary
Line 4: Line 4:


== Summary ==
== Summary ==
Remove pam_console as it is broken and no longer under use.
Remove pam_console as it does nothing.


== Owner ==
== Owner ==
Line 38: Line 38:


== Detailed Description ==
== Detailed Description ==
Currently, the pam_console module is broken because one of the files needed to define the permissions (50-default.perms) is not installed in the distribution. Indeed, there was a [[Releases/FeatureRemovePAMConsole|System-Wide Change]] proposal in 2007 to remove pam_console, but it wasn't finished.
Currently, the pam_console module does nothing because one of the configuration files (50-default.perms) is not installed in the distribution. This file is used to define the files or devices permissions, and as it isn't installed there isn't any permission defined, thus making the module do nothing.
 
Other packages may install their own configuration files to specify the permissions, but I haven't found any.
 
In 2007 there was a [[Releases/FeatureRemovePAMConsole|System-Wide Change]] proposal to remove pam_console, but it wasn't finished.
 


== Feedback ==
== Feedback ==
Line 44: Line 49:


== Benefit to Fedora ==
== Benefit to Fedora ==
The main benefit is that it reduces the maintenance effort of the package, without reducing the functionality as this should be managed by the HAL ACL. The pam_console module is not included in the [https://github.com/linux-pam/linux-pam Linux-PAM], and it has to be maintained in a [https://pagure.io/pam-redhat side-project]. On top of that, the module is only used in Fedora and some of its derivatives.
The main benefit is that it reduces the maintenance effort of the package, without reducing the functionality. The pam_console module is not included in the [https://github.com/linux-pam/linux-pam Linux-PAM], and it has to be maintained in a [https://pagure.io/pam-redhat side-project]. On top of that, the module is only used in Fedora and some of its derivatives.


== Scope ==
== Scope ==
* Proposal owners:
* Proposal owners:
# Provide PRs to remove pam_console from the PAM stack of the identified software packages (see Dependencies).
# Provide PRs to remove pam_console from the PAM stack of the identified software packages (see Dependencies).
# Remove pam_console from [https://pagure.io/pam-redhat pam-redhat] project and rebuild Fedora package.
# Remove pam_console from [https://pagure.io/pam-redhat pam-redhat] project and rebuild the PAM package without it.


* Other developers:
* Other developers:
Line 71: Line 76:
== How To Test ==
== How To Test ==
No special hardware or configuration is required to test this change. Once the change is in place, check that the pam_console isn't installed in your system (default location: /lib64/security/pam_console.so) and do a user authentication (i.e. graphical interface, su, ssh, and whatever else comes to your mind).
No special hardware or configuration is required to test this change. Once the change is in place, check that the pam_console isn't installed in your system (default location: /lib64/security/pam_console.so) and do a user authentication (i.e. graphical interface, su, ssh, and whatever else comes to your mind).
<!-- TODO: check once Dependencies is written -->




Line 85: Line 89:
* gdm - https://bugzilla.redhat.com/show_bug.cgi?id=1822228
* gdm - https://bugzilla.redhat.com/show_bug.cgi?id=1822228


From the above list only the first item is a blocker as it requires pam_console to succeed in the authentication. In all other cases it is optional, so not deleting the module is not a problem.
From the above list only the first item is a blocker as it requires pam_console to succeed in the authentication. In all other cases it is optional, so not removing the module from their PAM stack will only cause a message printed in the security file.
 
<!-- TODO: there might be some unidentified software packages, I'm opening this System-Wide Change to also identify them -->




Line 93: Line 95:


* Contingency mechanism: Postpone to the next release.
* Contingency mechanism: Postpone to the next release.
* Contingency deadline: beta freeze
* Contingency deadline: Beta freeze.
* Blocks release? No
* Blocks release? No.




Revision as of 11:12, 3 January 2023

Remove pam_console

Important.png
This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Summary

Remove pam_console as it does nothing.

Owner


Current status

  • Targeted release: Fedora Linux 39
  • Last updated: 2023-01-03
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

Currently, the pam_console module does nothing because one of the configuration files (50-default.perms) is not installed in the distribution. This file is used to define the files or devices permissions, and as it isn't installed there isn't any permission defined, thus making the module do nothing.

Other packages may install their own configuration files to specify the permissions, but I haven't found any.

In 2007 there was a System-Wide Change proposal to remove pam_console, but it wasn't finished.


Feedback

Benefit to Fedora

The main benefit is that it reduces the maintenance effort of the package, without reducing the functionality. The pam_console module is not included in the Linux-PAM, and it has to be maintained in a side-project. On top of that, the module is only used in Fedora and some of its derivatives.

Scope

  • Proposal owners:
  1. Provide PRs to remove pam_console from the PAM stack of the identified software packages (see Dependencies).
  2. Remove pam_console from pam-redhat project and rebuild the PAM package without it.
  • Other developers:
  1. Identified software package maintainers should review and merge the pam_console removal PRs.
  • Policies and guidelines: N/A
  • Trademark approval: N/A
  • Alignment with Objectives: N/A

Upgrade/compatibility impact

No impact is expected.


How To Test

No special hardware or configuration is required to test this change. Once the change is in place, check that the pam_console isn't installed in your system (default location: /lib64/security/pam_console.so) and do a user authentication (i.e. graphical interface, su, ssh, and whatever else comes to your mind).


User Experience

Users won't experience any change.

Dependencies

This change depends on other packages removing pam_console from their PAM stack. I have identified five packages and I have opened a bugzilla for all of them:

From the above list only the first item is a blocker as it requires pam_console to succeed in the authentication. In all other cases it is optional, so not removing the module from their PAM stack will only cause a message printed in the security file.


Contingency Plan

  • Contingency mechanism: Postpone to the next release.
  • Contingency deadline: Beta freeze.
  • Blocks release? No.


Documentation

No documentation.


Release Notes

No need to update the release notes for this change.

Retrieved from "https://fedoraproject.org/w/index.php?title=Changes/RemovePamConsole&oldid=664526"