Revision as of 14:40, 2 January 2023

Remove pam_console

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Summary

Remove pam_console as it is broken and no longer under use.

Owner

Name: Iker Pedrosa
Email: ipedrosa@redhat.com

Current status

Targeted release: Fedora Linux 39
Last updated: 2023-01-02
FESCo issue: <will be assigned by the Wrangler>
Tracker bug: <will be assigned by the Wrangler>
Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

Currently, the pam_console module is broken because one of the files needed to define the permissions (50-default.perms) is not installed in the distribution. Indeed, there was a System-Wide Change proposal in 2007 to remove pam_console, but it wasn't finished.

Feedback

Benefit to Fedora

The main benefit is that it reduces the maintenance effort of the package, without reducing the functionality as this should be managed by the HAL ACL. The pam_console module is not included in the Linux-PAM, and it has to be maintained in a side-project. On top of that, the module is only used in Fedora and some of its derivatives.

Scope

Proposal owners:

Provide PRs to remove pam_console from the PAM stack of the identified software packages (see Dependencies).
Remove pam_console from pam-redhat project and rebuild Fedora package.

Other developers:

Identified software package maintainers should review and merge the pam_console removal PRs.

Release engineering: #Releng issue number

Policies and guidelines: N/A

Trademark approval: N/A

Alignment with Objectives: N/A

Upgrade/compatibility impact

No impact is expected.

How To Test

No special hardware or configuration is required to test this change. Once the change is in place, check that the pam_console isn't installed in your system (default location: /lib64/security/pam_console.so) and do a user authentication (i.e. graphical interface, su, ssh, and whatever else comes to your mind).

User Experience

Dependencies

Contingency Plan

Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
Contingency deadline: N/A (not a System Wide Change)
Blocks release? N/A (not a System Wide Change), Yes/No

Documentation

N/A (not a System Wide Change)

Release Notes

@@ Line 1: / Line 1: @@
-<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->
 = Remove pam_console =
@@ Line 18: / Line 16: @@
 == Current status ==
 [[Category:ChangePageIncomplete]]
+<!-- TODO: -->
 <!-- When your change proposal page is completed and ready for review and announcement -->
 <!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
@@ Line 39: / Line 38: @@
 == Detailed Description ==
-Currently, the pam_console module is broken as one of the files needed to define the permissions (50-default.perms) is not installed in the distribution. Indeed, there was a [[Releases/FeatureRemovePAMConsole|System-Wide Change]] proposal in 2007 to remove pam_console, but it wasn't finished.
+Currently, the pam_console module is broken because one of the files needed to define the permissions (50-default.perms) is not installed in the distribution. Indeed, there was a [[Releases/FeatureRemovePAMConsole|System-Wide Change]] proposal in 2007 to remove pam_console, but it wasn't finished.
 == Feedback ==
@@ Line 45: / Line 44: @@
 == Benefit to Fedora ==
-The main benefit is that it reduces the maintenance effort of the package, without reducing the functionality as it should be managed by the HAL ACL. The pam_console module is not included in the [https://github.com/linux-pam/linux-pam Linux-PAM], and it has to be maintained in a [https://pagure.io/pam-redhat side-project]. On top of that, it is just used in Fedora and some of its derivatives.
+The main benefit is that it reduces the maintenance effort of the package, without reducing the functionality as this should be managed by the HAL ACL. The pam_console module is not included in the [https://github.com/linux-pam/linux-pam Linux-PAM], and it has to be maintained in a [https://pagure.io/pam-redhat side-project]. On top of that, the module is only used in Fedora and some of its derivatives.
 == Scope ==
 * Proposal owners:
-<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
+# Provide PRs to remove pam_console from the PAM stack of the identified software packages (see Dependencies).
+# Remove pam_console from [https://pagure.io/pam-redhat pam-redhat] project and rebuild Fedora package.
-* Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
+* Other developers:
-<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
+# Identified software package maintainers should review and merge the pam_console removal PRs.
 * Release engineering: [https://pagure.io/releng/issues #Releng issue number] <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 <!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuild required?  include a link to the releng issue.
 The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication -->
+<!-- TODO: add link -->
 * Policies and guidelines: N/A
@@ Line 65: / Line 66: @@
 == Upgrade/compatibility impact ==
-<!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? -->
+No impact is expected.
-<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 == How To Test ==
-<!-- This does not need to be a full-fledged document. Describe the dimensions of tests that this change implementation is expected to pass when it is done.  If it needs to be tested with different hardware or software configurations, indicate them.  The more specific you can be, the better the community testing can be.
+No special hardware or configuration is required to test this change. Once the change is in place, check that the pam_console isn't installed in your system (default location: /lib64/security/pam_console.so) and do a user authentication (i.e. graphical interface, su, ssh, and whatever else comes to your mind).
+<!-- TODO: check once Dependencies is written -->
-Remember that you are writing this how to for interested testers to use to check out your change implementation - documenting what you do for testing is OK, but it's much better to document what *I* can do to test your change.
-A good "how to test" should answer these four questions:
-. What special hardware / data / etc. is needed (if any)?
-. How do I prepare my system to test this change? What packages
-need to be installed, config files edited, etc.?
-. What specific actions do I perform to check that the change is
-working like it's supposed to?
-. What are the expected results of those actions?
--->
-<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
@@ Line 112: / Line 98: @@
      https://bugzilla.redhat.com/show_bug.cgi?id=1822228
 -->
+<!-- TODO: there might be some unidentified software packages, I'm opening this System-Wide Change to also identify them -->

Search

Changes/RemovePamConsole: Difference between revisions