su currently requires PAM

su currently requires PAM

[Bruce Dubbs]

In linuxfromscratch, we have been using su from the shadow package because the 
util-linux version requires Linux-PAM.  Recently the maintainers of shadow have 
announced that they are deprecating su.  Our problem is that some of our users prefer 
to not install PAM.

Is it possible to make the requirement of Linux-PAM optional in the util-linux 
version of su?  From a preliminary inspection of the code, it looks like only 
login-utils/su-common.c would need to be modified with some #ifdef constructs, but I 
am not completely comfortable doing that myself.

I am asking one of the maintainers to make the change, but I am willing to attempt 
creating a patch if no one else wants to do it and the approach would be acceptable 
to the util-linux project.

   -- Bruce Dubbs
      linuxfromscratch.org

Re: su currently requires PAM

[Karel Zak]

On Mon, Dec 27, 2021 at 09:26:01AM -0600, Bruce Dubbs wrote:
> In linuxfromscratch, we have been using su from the shadow package because
> the util-linux version requires Linux-PAM.  Recently the maintainers of
> shadow have announced that they are deprecating su.  Our problem is that
> some of our users prefer to not install PAM.

I had a discussion about it with Serge (in CC), it seems the current
the conclusion is that "for now shadow will have to keep shipping su".

> Is it possible to make the requirement of Linux-PAM optional in the
> util-linux version of su?  From a preliminary inspection of the code, it
> looks like only login-utils/su-common.c would need to be modified with some
> #ifdef constructs, but I am not completely comfortable doing that myself.

The problem is not #ifdef, but that you need local reimplementation
for the very basic PAM functionality.                    

I have suggested creating some minimalistic library with PAM
compatible API, but without all the functionality. Maybe we can
develop this library in util-linux and later offer it to other
projects. Volunteers? ;-)
                                                         
Another possibility is to improve the original PAM to make it possible
to compile it without modules, etc.          

    Karel

-- 
 Karel Zak  <kzak@redhat.com>
 http://karelzak.blogspot.com

Re: su currently requires PAM

[Serge E. Hallyn]

On Thu, Jan 06, 2022 at 02:27:46PM +0100, Karel Zak wrote:
> On Mon, Dec 27, 2021 at 09:26:01AM -0600, Bruce Dubbs wrote:
> > In linuxfromscratch, we have been using su from the shadow package because
> > the util-linux version requires Linux-PAM.  Recently the maintainers of
> > shadow have announced that they are deprecating su.  Our problem is that
> > some of our users prefer to not install PAM.
> 
> I had a discussion about it with Serge (in CC), it seems the current
> the conclusion is that "for now shadow will have to keep shipping su".

I haven't mentioned it in the Changelog, but have implied here
https://github.com/shadow-maint/shadow/issues/464
that yes we will not drop su in shadow until there is an alternative.

> > Is it possible to make the requirement of Linux-PAM optional in the
> > util-linux version of su?  From a preliminary inspection of the code, it
> > looks like only login-utils/su-common.c would need to be modified with some
> > #ifdef constructs, but I am not completely comfortable doing that myself.
> 
> The problem is not #ifdef, but that you need local reimplementation
> for the very basic PAM functionality.                    
> 
> I have suggested creating some minimalistic library with PAM
> compatible API, but without all the functionality. Maybe we can
> develop this library in util-linux and later offer it to other
> projects. Volunteers? ;-)
>                                                          
> Another possibility is to improve the original PAM to make it possible
> to compile it without modules, etc.          
> 
>     Karel
> 
> -- 
>  Karel Zak  <kzak@redhat.com>
>  http://karelzak.blogspot.com

Re: su currently requires PAM

[Bruce Dubbs]

On 1/6/22 8:39 AM, Serge E. Hallyn wrote:
> On Thu, Jan 06, 2022 at 02:27:46PM +0100, Karel Zak wrote:
>> On Mon, Dec 27, 2021 at 09:26:01AM -0600, Bruce Dubbs wrote:
>>> In linuxfromscratch, we have been using su from the shadow package because
>>> the util-linux version requires Linux-PAM.  Recently the maintainers of
>>> shadow have announced that they are deprecating su.  Our problem is that
>>> some of our users prefer to not install PAM.
>>
>> I had a discussion about it with Serge (in CC), it seems the current
>> the conclusion is that "for now shadow will have to keep shipping su".

That sounds good.  Thanks for looking into it.

   -- Bruce

> I haven't mentioned it in the Changelog, but have implied here
> https://github.com/shadow-maint/shadow/issues/464
> that yes we will not drop su in shadow until there is an alternative.
> 
>>> Is it possible to make the requirement of Linux-PAM optional in the
>>> util-linux version of su?  From a preliminary inspection of the code, it
>>> looks like only login-utils/su-common.c would need to be modified with some
>>> #ifdef constructs, but I am not completely comfortable doing that myself.
>>
>> The problem is not #ifdef, but that you need local reimplementation
>> for the very basic PAM functionality.
>>
>> I have suggested creating some minimalistic library with PAM
>> compatible API, but without all the functionality. Maybe we can
>> develop this library in util-linux and later offer it to other
>> projects. Volunteers? ;-)
>>                                                           
>> Another possibility is to improve the original PAM to make it possible
>> to compile it without modules, etc.