Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Opinions on removing PAM from a single user desktop system
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2  
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo
View previous topic :: View next topic  
Author Message
jonathan183
Tux's lil' helper
Tux's lil' helper


Joined: 13 Dec 2011
Posts: 91

PostPosted: Fri Jan 24, 2014 10:03 pm    Post subject: Reply with quote

Anon-E-moose wrote:
I don't know that you'll gain much by removing those particular flags.
...
The major flags that affect package bloat are the ones I mentioned earlier from my make.conf file, IMO.


OK thanks ... I want to avoid the bloat, minimise the potential exposure to security threats but still have a usable desktop system. The more I strip out without compromising security or loosing the functionality I use and care about the better 8)

mv wrote:
-acl is fine for single-user systems. Actually you can even remove support for POSIX Access Control Lists in your kernel from the filesystems. Again, you will be careful with recompiling.
I would recommend to keep xattr and to keep/set security labels for your filesystems in the kernel: This is the new way how hardened-sources marks exceptional binaries, and this is also needed if you should ever want to run overlayfs.
sendmail is not important and up to you, but probably you want to install a MTA anyway e.g. to get errors from cron.
cxx is a heavily needed unless you build an extremely tiny embedded systems; many basic projects use c++.


Thanks ... I think I'll go with -acl. I'm sure at some point I'll figure something out I actually want to use cron for ... tripwire, chkrootkit, rkhunter pull it in. If I wanted to schedule this then it would be the tool of choice, but I don't. No use flag to remove it from tripwire or rkhunter :roll:

Thanks everyone for your patience and replies :D
Back to top
View user's profile Send private message
tw04l124
Veteran
Veteran


Joined: 03 Oct 2006
Posts: 1310
Location: A t z e l, lower austria

PostPosted: Sat Jan 25, 2014 8:03 am    Post subject: Reply with quote

Anon-E-moose wrote:


Edit to add: this is from my /etc/make.conf
Code:
-introspection -hal -bluetooth -kde -gnome -libnotify -pam -consolekit -policykit -systemd -udisks -upower -pulseaudio


Edit to add 2: It wouldn't hurt to leave pam installed, either. Just don't use it. It's your system and your choice.


Thanks I just try that out now.

I just saw that hal does not exists anymore on my box. I could not find it in my make.conf and also ufed does not show hal anymore. Maybe the hal useflag is already gone ...
Back to top
View user's profile Send private message
Chiitoo
l33t
l33t


Joined: 28 Feb 2010
Posts: 831
Location: Here and Away Again

PostPosted: Sat Jan 25, 2014 9:22 am    Post subject: Reply with quote

tw04l124 wrote:
I just saw that hal does not exists anymore on my box. I could not find it in my make.conf and also ufed does not show hal anymore. Maybe the hal useflag is already gone ...

If I'm not horribly wrong, hal has been gone about two years now. ^^


(Also another user here with KDE/Enlightenment without pam, *kit, and the likes. For the time being, using udev, but soon going static at least as a test at first.)
_________________
Kind Regards,
~ The Noob Unlimited ~

Sore wa sore, kore wa kore.
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 2240
Location: Dallas area

PostPosted: Sat Jan 25, 2014 10:46 am    Post subject: Reply with quote

:lol: Yes, hal has long been gone, I just didn't clean up make.conf when it disappeared completely.
Doesn't hurt anything (on my system) so I just left it.

As always, modify those flags I use for your individual case,
ie I don't use bluetooth, so I have the flag there, if you do then of course remove it. :)
_________________
Asus m5a99fx, FX 8320 - amd64-multilib, 3.9.1-zen, glibc-2.17, gcc-4.7.3-r1, eudev
xorg-server-1.16, openbox w/lxpanel, nouveau, oss4
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Sat Jan 25, 2014 11:06 am    Post subject: Reply with quote

Hang on a minute!

If /bin/login isn't built with PAM, then how would /etc/security/limits.d/* get applied? Which is needed for sensible process prioritization (which 99% of users ignore, it seems).

Edit: Here's CK blog, as an interesting read.
_________________
Improve your font rendering and ALSA sound
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 2240
Location: Dallas area

PostPosted: Sat Jan 25, 2014 11:17 am    Post subject: Reply with quote

PaulBredbury wrote:
Hang on a minute!

If /bin/login isn't built with PAM, then how would /etc/security/limits.d/* get applied? Which is needed for sensible process prioritization (which 99% of users ignore, it seems).


I don't have /etc/security/limits.d/, I have /etc/security/limits.conf, which date back to jan 2013.
Not sure what installed it or why.

I've never had any problem with video playback, and I watch a fair amount of movies, anime, etc.
and don't use pam, process prioritization, etc.
If a process really needed a better priority, I would use the old standby, nice

Thus in my case no need for pam having anything to do with /bin/login

Edit to add: I do use zen patches and BFS for my scheduler. Don't know if that makes a difference re. prioritization.
_________________
Asus m5a99fx, FX 8320 - amd64-multilib, 3.9.1-zen, glibc-2.17, gcc-4.7.3-r1, eudev
xorg-server-1.16, openbox w/lxpanel, nouveau, oss4
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Sat Jan 25, 2014 11:37 am    Post subject: Reply with quote

Anon-E-moose wrote:
I would use the old standby, nice

Well, of course. The point is that it is very convenient for a user to be able to set a negative niceness, for the convenient setting of relative priorities, since the default is of course a niceness of zero.

These settings show their usefulness when the system is under load.


Last edited by PaulBredbury on Sat Jan 25, 2014 11:39 am; edited 1 time in total
Back to top
View user's profile Send private message
mv
Advocate
Advocate


Joined: 20 Apr 2005
Posts: 3998

PostPosted: Sat Jan 25, 2014 11:38 am    Post subject: Reply with quote

PaulBredbury wrote:
If /bin/login isn't built with PAM, then how would /etc/security/limits.d/* get applied?

Without PAM the file is called /etc/limits and is interpreted directly by sys-apps/shadow.
Back to top
View user's profile Send private message
mv
Advocate
Advocate


Joined: 20 Apr 2005
Posts: 3998

PostPosted: Sat Jan 25, 2014 11:48 am    Post subject: Reply with quote

PaulBredbury wrote:
These settings show their usefulness when the system is under load.

The limits have nothing to do whether you have pam or not - it is just a question how you specify it.
However, in any case I would not allow a default priority lower than 0 since this is even lower than system tasks which should react on IRQs etc. It is really dangerous to do this. If you want to view movies (on a single-user system) when the system is under load it is better to give your other tasks a lower priority - but usually nothing helps anyway because the hangs are not caused by priority questions but by io things which you cannot control reasonably (e.g. I have a laptop where nothing runs when it flushes to disk - the disk just blocks the processor completely). In an emergency case you can still use sudo to set negative nice values, but as said: In my experience it helps nothing and can do harm. On a multiuser system I would not give any user permission to set negative priority, anyway.
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Sat Jan 25, 2014 11:56 am    Post subject: Reply with quote

mv wrote:
/etc/limits

Thanks. According to shadow's README.limits file, there's no way to let the user set a negative niceness :(

E.g. in /etc/security/limits.d/91-limits.conf:
Code:
myusername       -       nice        -8

So it looks like I need /bin/login linked to PAM.

mv wrote:
even lower than system tasks which should react on IRQs

Are you sure? This shows a lot of kernel processes running at a niceness of -20:
Code:
ps -eo pid,rtprio,nice,policy,ruser,rgroup,comm,args


You say it's "dangerous", yet I've been doing this for years without seeing adverse effects ;)

Edit: Just to make things a bit clearer: -20 takes priority over -8


Last edited by PaulBredbury on Sat Jan 25, 2014 12:17 pm; edited 1 time in total
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 2240
Location: Dallas area

PostPosted: Sat Jan 25, 2014 12:13 pm    Post subject: Reply with quote

Bottom line,
Can one have a nice responsive system with pam? Yes
Can one have a nice responsive system without pam? Yes

Use what you like, what fits your needs, and the way you like your system.

I know that not only is my hardware different than many others,
including things like turning off changing cpu frequency, etc,
but I do things a completely different way.
I boot up into console mode, then use startx. I usually run my emerges from the console, etc.

So everyone's system is different even if they were using the same hardware.

Use what works for you, though I do like hearing of the way different people run their system and why.
If it looks good enough, for me, I might change the way that I run my own system.
_________________
Asus m5a99fx, FX 8320 - amd64-multilib, 3.9.1-zen, glibc-2.17, gcc-4.7.3-r1, eudev
xorg-server-1.16, openbox w/lxpanel, nouveau, oss4
Back to top
View user's profile Send private message
mv
Advocate
Advocate


Joined: 20 Apr 2005
Posts: 3998

PostPosted: Sat Jan 25, 2014 12:25 pm    Post subject: Reply with quote

PaulBredbury wrote:
mv wrote:
/etc/limits

Thanks. According to shadow's README.limits file, there's no way to let the user set a negative niceness :(

Maybe; I have never tried. As I said, a negative value is usually not a good idea since normally you do not want to interfere with kernel processes. Concerning other processes only the relative value is important. If you really want to allow it for a particular program, it is probably safer to set a sudo exception.
Quote:
Are you sure? This shows a lot of kernel processes running at a niceness of -20:

So you probably do not want to decrease the ratio to them to slow these down relatively.
Quote:
You say it's "dangerous", yet I've been doing this for years without seeing adverse effects ;)

I guess this can all depend on your hardware. It is probably hard to predict what happens if your system reacts too slow on certain hardware IRQs. When you are burning a dvd, it is clear what is happening. I would guess that you can similarly e.g. wear your harddisk more than necessary, but I am not a hardware expert.
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Sat Jan 25, 2014 12:59 pm    Post subject: Reply with quote

mv wrote:
So you probably do not want to decrease the ratio to them to slow these down relatively.

What? Where's the sense in what you're saying?

These niceness levels exist so that they can be used, and altered. And I do. The kernel doesn't panic, files don't get corrupted, wi-fi stays up and reliable. Why are you scaremongering?

I'm using this e.g. to state, quite deliberately, that the CPU should give priority to e.g. a music player and especially a video player, over the "normal" CPU processes (i.e. the processes which are niceness zero). It's that simple.

Burning a DVD is a special case (haven't done it for a while, not sure if it's still realtime-critical with e.g. "burnfree"), and I would give that a negative niceness too (and use ionice), as appropriate.
Back to top
View user's profile Send private message
mv
Advocate
Advocate


Joined: 20 Apr 2005
Posts: 3998

PostPosted: Sat Jan 25, 2014 2:43 pm    Post subject: Reply with quote

PaulBredbury wrote:
These niceness levels exist so that they can be used

And there is a reason that the default lowest niceness for a normal user is 0 and not -20
Quote:
The kernel doesn't panic, files don't get corrupted, wi-fi stays up and reliable.

Maybe it does, but maybe there is considerable more delay (e.g. a need to retransfer packets or even reestablish some connection) than usual. Does saving a few milliseconds by slowing down basic kernel tasks really improve your experience when watching videos? I mean:
Quote:
give priority to e.g. a music player and especially a video player, over the "normal" CPU processes (i.e. the processes which are niceness zero).

Why do you start your "normal" processes at lowest possible niceness in the first place? Starting your shell (and thus everything else) with a higher niceness by default won't hurt you with a low load, and giving niceness 0 to a process is then practically the same as giving a negative niceness, except that you are saver from interfering with really basic tasks: Instead of decreasing niceness of video, it is probably better to increase niceness of the rest. (Of course, you can also do this only at the moment when you decide that you want to watch a video and observe that it is too slow).
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Sat Jan 25, 2014 3:00 pm    Post subject: Reply with quote

mv wrote:
there is a reason that the default lowest niceness for a normal user is 0 and not -20

I am not interfering with the kernel's high-priority threads (although we can if we want). I use -8 as my highest user priority, that's all. It gives me plenty of scale.

Quote:
a few milliseconds

There's only 16 milliseconds per frame, at 60fps. So yeah, the kernel should wait. There is no disadvantage in such prioritization!

Quote:
Why do you start your "normal" processes at lowest possible niceness in the first place?

I don't. Whatever gives you that idea?

Here's some more examples, for those interested.
Back to top
View user's profile Send private message
jonathan183
Tux's lil' helper
Tux's lil' helper


Joined: 13 Dec 2011
Posts: 91

PostPosted: Sat Jan 25, 2014 6:15 pm    Post subject: Reply with quote

My understanding is pam is for user authentication ... so if I want to authenticate users using a fingerprint reader or some other method then pam might help me out.
If I have a problem with system responsiveness then I don't think pam is the answer ... and if removing pam makes my system unresponsive then I will look at how to resolve this, re-installing pam would not be my first approach.

If it's not installed then it can't leak, break or be incorrectly configured ...
Back to top
View user's profile Send private message
mv
Advocate
Advocate


Joined: 20 Apr 2005
Posts: 3998

PostPosted: Sat Jan 25, 2014 6:42 pm    Post subject: Reply with quote

jonathan183 wrote:
My understanding is pam is for user authentication ...

Yes, it is. However pam's /etc/security/... is a little bit more fine-grained than /etc/limits.conf; the case of negative maximal niceness just discussed is only one of several minor differences; a default niceness is another one; the possibiity to avoid things like suxs or sudox to pass X authorization is yet another extension which you get only with pam; also some screenlockers have decided to rely only on pam and not any "manual" authentification method. So in some cases, pam really has advantages.
On the other hand, all these conveniences come at the price of introducing an already rather complex layer.
If you play this game to the extreme, you end up with polkit: Convenience everywhere, but due to the complexity you can almost expect that your system is vulnerable. Only running everything directly as root is even more convenient and only slightly less secure :wink:
Back to top
View user's profile Send private message
mv
Advocate
Advocate


Joined: 20 Apr 2005
Posts: 3998

PostPosted: Sat Jan 25, 2014 6:52 pm    Post subject: Reply with quote

PaulBredbury wrote:
Here's some more examples, for those interested.

Wasn't there a daemon which would automatically set the niceness based on the process name and a configurable list? (Maybe it was app-admin/verynice?) This could be something for you.
I never cared too much about it since in my experience changes in niceness did not have a remarkable influence on the performance: On my slower machines, RAM is the bottleneck so e.g. compiling gcc in the background makes the machine almost unusable even with highest nice and ionice, and my faster machines are so fast that I do not observe any disturbing slowdown when viewing video except on a view occassions when the harddisk becomes the bottleneck.
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Sat Jan 25, 2014 7:11 pm    Post subject: Reply with quote

I noted verynice, but didn't bother trying it, because I don't need/want a daemon. Sensible defaults for nice & ionice work fine :)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo All times are GMT
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum