View previous topic :: View next topic |
Author |
Message |
jonathan183 Guru
Joined: 13 Dec 2011 Posts: 318
|
Posted: Mon Jan 20, 2014 12:47 am Post subject: Opinions on removing PAM from a single user desktop system |
|
|
Is PAM required for a single user desktop system ... or to put it a different way if I remove PAM will I be compromising the security of the system?
If I expanded the number of users to less than 5 (all local login - one user at a time) would the answer be different?
Some of the background to my question below ...
I have been using Gentoo along with a couple of other distros (including Arch) for a few years now and have done a fresh install on a spare partition (attempting to use tripwire from a fresh install). I'm trying to get it setup the way I want which means:-
openrc for system boot with busybox mdev as the device manager
boot to command line login and use startx (when I want to use X)
IceWM as the window manager
Various applications such as firefox, claws-mail, leafpad, libreoffice, mupdf, gimp, smplayer and pcmanfm running in X.
Applications such as mplayer, links2 running using directfb. System admin cli only, cp/rsync/mv/chown/chmod/iptables etc cli only.
What I don't want - systemd, gnome, kde, xfce etc. I also don't want *kit, will suffer dbus if I must. I'll stick with mdev but if I do need to switch I'll go with eudev.
I have USE flags with most things including X disabled and will enable on a case by case base in /etc/portage/package.use.
I have sys-apps/systemd, sys-auth/consolekit, sys-auth/polkit, sys-fs/udev in /etc/portage/package.mask.
The point I have got to at the moment equery output indicates a few things requiring dbus, nothing needing polkit but pambase requiring consolekit.
Code: | equery d dbus polkit consolekit pambase
* These packages depend on dbus:
app-text/ghostscript-gpl-9.05-r1 (dbus ? sys-apps/dbus)
dev-libs/dbus-glib-0.100.2 (>=sys-apps/dbus-1.6.2)
dev-libs/glib-2.32.4-r1 (test ? >=sys-apps/dbus-1.2.14)
net-print/cups-1.6.4 (dbus ? sys-apps/dbus)
net-print/foomatic-filters-4.0.17 (sys-apps/dbus)
* These packages depend on polkit:
* These packages depend on consolekit:
sys-auth/pambase-20120417-r3 (consolekit ? >=sys-auth/consolekit-0.4.5_p2012[pam])
* These packages depend on pambase:
app-admin/sudo-1.8.6_p7 (pam ? sys-auth/pambase)
net-misc/openssh-5.9_p1-r4 (pam ? >=sys-auth/pambase-20081028)
sys-apps/openrc-0.12.4 (pam ? sys-auth/pambase)
sys-apps/shadow-4.1.5.1-r1 (pam ? >=sys-auth/pambase-20120417)
sys-libs/pam-1.1.6-r2 (sys-auth/pambase) |
So to drop consolekit completely it looks as though I will need to drop pam which is when I start to feel nervous, about whether this is something I should be doing.
I initially built busybox with static USE flag so it had pam support disabled ... I just had to replace a few root:video and root:audio with numeric values on /etc/mdev.conf for that ...
So ... Is pam really going to be doing much for me? are there hidden/unintended consequences I should be aware of by removing pam from the system? is there another way of removing consolekit?
Portage does not complain with the addition of -pam, I don't mind keeping all the pieces on a fresh install but don't want to compromise system security unnecessarily |
|
Back to top |
|
|
Anon-E-moose Watchman
Joined: 23 May 2008 Posts: 6103 Location: Dallas area
|
Posted: Mon Jan 20, 2014 1:29 am Post subject: |
|
|
I run a single user desktop/server, I don't use pam, *kit, dbus and run an old version of udev.
It suffices for me. I don't have logins for the my kids, but they wouldn't use it anyway.
They do access the storage disks by way of samba (they use windows)
AFAIK you should be able to set up different user accounts without pam.
Pam is more for you don't trust completely the people who you give accounts to IMO. _________________ PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
Back to top |
|
|
The Doctor Moderator
Joined: 27 Jul 2010 Posts: 2678
|
Posted: Mon Jan 20, 2014 1:35 am Post subject: |
|
|
I don't know of any problems. Just set your useflags, emerge -auvND world, emerge -ac and you should be good to go.
-Another happy user with -*kits, -pam, and -udev. _________________ First things first, but not necessarily in that order.
Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box. |
|
Back to top |
|
|
miket Guru
Joined: 28 Apr 2007 Posts: 489 Location: Gainesville, FL, USA
|
Posted: Mon Jan 20, 2014 4:55 am Post subject: |
|
|
Well, you *can* emerge pam without consolekit. I've just that kind of setup: I have pam but am kit-free. |
|
Back to top |
|
|
jonathan183 Guru
Joined: 13 Dec 2011 Posts: 318
|
Posted: Mon Jan 20, 2014 8:41 pm Post subject: |
|
|
Anon-E-moose wrote: | Pam is more for you don't trust completely the people who you give accounts to IMO. |
Could you clarify what you mean by that please. |
|
Back to top |
|
|
jonathan183 Guru
Joined: 13 Dec 2011 Posts: 318
|
Posted: Mon Jan 20, 2014 8:44 pm Post subject: |
|
|
miket wrote: | Well, you *can* emerge pam without consolekit. I've just that kind of setup: I have pam but am kit-free. |
IUSE consolekit in ebuild put me off trying to do that ... |
|
Back to top |
|
|
xaviermiller Bodhisattva
Joined: 23 Jul 2004 Posts: 8711 Location: ~Brussels - Belgique
|
Posted: Mon Jan 20, 2014 8:49 pm Post subject: |
|
|
Hello,
I need PAM only for pro-audio applications that need real-time scheduling, and that goes through PAM.
But without that, I could live without PAM and *kit. _________________ Kind regards,
Xavier Miller |
|
Back to top |
|
|
jonathan183 Guru
Joined: 13 Dec 2011 Posts: 318
|
Posted: Mon Jan 20, 2014 8:51 pm Post subject: |
|
|
The Doctor wrote: | I don't know of any problems. Just set your useflags, emerge -auvND world, emerge -ac and you should be good to go.
-Another happy user with -*kits, -pam, and -udev. | I'm hoping that's going to be the case |
|
Back to top |
|
|
Anon-E-moose Watchman
Joined: 23 May 2008 Posts: 6103 Location: Dallas area
|
Posted: Mon Jan 20, 2014 10:13 pm Post subject: |
|
|
jonathan183 wrote: | Anon-E-moose wrote: | Pam is more for you don't trust completely the people who you give accounts to IMO. |
Could you clarify what you mean by that please. |
Pam is usually used in an environment where you want to limit the ability of the users to do certain things.
Think of a business where one or two might know the root password,
but others would have limited power to do things, such as shutting down the system
or whatever they were limited to. _________________ PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
Back to top |
|
|
jonathan183 Guru
Joined: 13 Dec 2011 Posts: 318
|
Posted: Tue Jan 21, 2014 12:45 am Post subject: |
|
|
Anon-E-moose wrote: | Pam is usually used in an environment where you want to limit the ability of the users to do certain things.
Think of a business where one or two might know the root password,
but others would have limited power to do things, such as shutting down the system
or whatever they were limited to. |
I lock the root account and use sudo. I add users by name to sudoers rather than using wheel group etc. I create a separate user account for specific tasks - for example I have users for:-
admin (sudo to run emerge, tripwire, rkhunter, vimdiff without passwd and bash with a passwd... still being lazy)
kernel_builder (sudo to chown /usr/src/linux to themselves, install modules but build kernel as a regular user)
iptables_admin (sudo iptables, modprobe can start and stop firewall but not configured to access net)
email (run claws-mail to access email, able to write information to websurfer home area so links are never followed direct from email but can be copied to a temporary file)
websurfer (run firefox, links2 etc)
regular user (access to user docs & able to transfer to/from email and websurfer home areas, not able to access the net)
I have a group set up for net access. I trust myself and would trust any users I put on the system for email/websurfer/regular user - I am the only admin.
I use sg to start applications like firefox with my net access group, so any old program trying to access the net would need to know to run as my net group in order to access the net.
So I think a combination of user account, sudo and iptables allows me to secure the system. Any user on my system just needs to make their mind up if they want to access email, surf the web or write documents/view photos etc and login as the required user. The password can be the same for all three accounts they have ... just login as jonathan-email jonathan-websurfer or jonathan-user then startx is all they need to do.
I want to keep things simple, consistent and rely on the minimum complexity tools. I don't need or want gnome/kde/xfce/lxde etc, I use IceWM which looks the same and behaves the same on all the PCs I have. The toolbar and menu are configured so things are in the same place always, I can swap openoffice for libreoffice and it is in the same place & could be called the same thing.
Now if things start falling apart because I remove pam then I probably don't want to remove pam. |
|
Back to top |
|
|
Anon-E-moose Watchman
Joined: 23 May 2008 Posts: 6103 Location: Dallas area
|
Posted: Tue Jan 21, 2014 10:32 am Post subject: |
|
|
I haven't had pam installed on my system in a very long time.
I do run lxde, but I could just as easily go with openbox and tint2 or some other panel.
I also prefer to use sudo, and anyone that I would add on my system I would trust.
So you should be able to pull pam out, without any long term problems to the system.
Some packages would need to be rebuilt, but I don't remember how many.
Code: | USE="-pam -consolekit -policykit" emerge -pvuDN --with-bdeps y @world |
Would give you an idea though.
Good luck.
Edit to add: this is from my /etc/make.conf
Code: | -introspection -hal -bluetooth -kde -gnome -libnotify -pam -consolekit -policykit -systemd -udisks -upower -pulseaudio |
Edit to add 2: It wouldn't hurt to leave pam installed, either. Just don't use it. It's your system and your choice. _________________ PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6749
|
Posted: Tue Jan 21, 2014 5:30 pm Post subject: |
|
|
jonathan183 wrote: | Now if things start falling apart because I remove pam then I probably don't want to remove pam. |
Why do you think that removing pam changes anything in your setup? You are speaking about a single machine, not about a network where you want a centralilzed and magically distributed login or some other fancy stuff for which pam is really required, do you?
As far as I can see, nothing will change for you if you remove pam, except that your system might be even some more secure since you removed one level of unnecessary (for you) complexity. Just do not forget to run revdep-rebuild after removing pam, since otherwise you might be able to login afterwards |
|
Back to top |
|
|
The Doctor Moderator
Joined: 27 Jul 2010 Posts: 2678
|
Posted: Tue Jan 21, 2014 5:39 pm Post subject: |
|
|
Actually, I think you can argue that your security will increase when you remove pam. If you don't need it, pam simply becomes another potential threat. I'm not saying there is anything wrong with it, just that if there is any security hole or exploit that is discovered you will be needlessly exposed. _________________ First things first, but not necessarily in that order.
Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box. |
|
Back to top |
|
|
jonathan183 Guru
Joined: 13 Dec 2011 Posts: 318
|
Posted: Wed Jan 22, 2014 8:20 pm Post subject: |
|
|
OK thanks for the responses The Doctor wrote: | -Another happy user with -*kits, -pam, and -udev. |
Now I'm wondering what else I don't need ... how about openldap? |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Thu Jan 23, 2014 10:06 am Post subject: |
|
|
You probably don't need openldap. I don't. |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6749
|
Posted: Thu Jan 23, 2014 1:16 pm Post subject: |
|
|
PaulBredbury wrote: | You probably don't need openldap. |
This is even less needed than pam (on a single system or small home network - of course, it is different for a huge university network).
Unfortunately, the library is needed anyway if you want to make official pdf annotations (with acroread). Of course there is no technical reason for this except that adobe fails to release sane binaries. |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Thu Jan 23, 2014 5:16 pm Post subject: |
|
|
Be careful when removing openldap - recompile audit, and shadow. Otherwise, can end up with broken /bin/login (provided by shadow), which is quite inconvenient to fix, since ya can't login to fix it
I think I'll symlink /bin/login to busybox, to be safer in future
Edit: Nah, busybox's login doesn't apply /etc/security/limits.d/* - when not build with PAM, anyway.
Last edited by PaulBredbury on Sat Jan 25, 2014 10:19 am; edited 2 times in total |
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3509
|
Posted: Thu Jan 23, 2014 6:38 pm Post subject: |
|
|
Wouldn't the safe way be to put things like "-pam" and/or "-ldap" in make.conf USE flags, rebuild with "-N" to pick up the changes, then remove the packages? _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
jonathan183 Guru
Joined: 13 Dec 2011 Posts: 318
|
Posted: Thu Jan 23, 2014 8:10 pm Post subject: |
|
|
depontius wrote: | Wouldn't the safe way be to put things like "-pam" and/or "-ldap" in make.conf USE flags, rebuild with "-N" to pick up the changes, then remove the packages? |
I don't think that strategy helps much ... shadow is not going to be rebuilt for system or world
Code: | emerge -pvDN system
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild R ] net-misc/openssh-6.4_p1-r1 USE="hpn tcpd -X -X509 -bindist -kerberos -ldap* -ldns -libedit -pam (-selinux) -skey -static" 0 kB
Total: 1 package (1 reinstall), Size of downloads: 0 kB
emerge -pvDN world
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild R ] net-misc/curl-7.34.0-r1 USE="ssl threads -adns -idn -ipv6 -kerberos -ldap* -metalink -rtmp -ssh -static-libs {-test}" CURL_SSL="openssl -axtls -cyassl -gnutls -nss -polarssl" 0 kB
[ebuild U ] media-libs/harfbuzz-0.9.23:0/0.9.18 [0.9.12:0/0] USE="cairo%* glib%* graphite%* icu%* truetype%* -introspection% -static-libs" 0 kB
[ebuild U ] x11-libs/pango-1.34.1 [1.30.1] USE="X -debug -introspection*" 0 kB
[ebuild R ] app-admin/sudo-1.8.6_p7 USE="nls sendmail -ldap* -offensive -pam (-selinux) -skey" 0 kB
[ebuild R ] app-crypt/gnupg-2.0.22 USE="bzip2 nls readline usb -adns -doc -ldap* -mta (-selinux) -smartcard -static" 0 kB
[ebuild rR ] media-libs/openjpeg-1.5.1 USE="-doc -static-libs {-test}" 0 kB
[ebuild N ] dev-libs/libusbx-1.0.17:1 USE="-debug -doc -examples -static-libs {-test} -udev" 0 kB
[uninstall ] dev-libs/libusb-1.0.9:1 USE="-debug -doc -static-libs"
[blocks b ] dev-libs/libusbx:1 ("dev-libs/libusbx:1" is blocking dev-libs/libusb-1.0.9)
[blocks b ] dev-libs/libusb:1 ("dev-libs/libusb:1" is blocking dev-libs/libusbx-1.0.17)
[ebuild U ] virtual/libusb-1-r1:1 [1:1] 0 kB
[ebuild R ] net-print/cups-1.6.4 USE="acl filters gnutls ssl threads usb -X -dbus -debug -java -kerberos -lprng-compat -pam* -python (-selinux) -static-libs -xinetd -zeroconf" LINGUAS="-ca -es -fr -ja -ru" PYTHON_SINGLE_TARGET="python2_7 -python2_6" PYTHON_TARGETS="python2_7 -python2_6" 0 kB
[ebuild U ] x11-libs/gtk+-2.24.22:2 [2.24.17:2] USE="cups (-aqua) -debug -examples -introspection* {-test} -vim-syntax -xinerama" 0 kB
[ebuild R ] mail-client/claws-mail-3.9.0 USE="crypt imap session spell ssl -bogofilter -dbus -dillo -doc -ipv6 -ldap* -nntp -pda -smime -spamassassin -startup-notification -xface" 0 kB
[ebuild U ] www-client/firefox-24.1.1 [17.0.9] USE="alsa jit minimal -bindist -custom-cflags -custom-optimization -dbus -debug -gstreamer -libnotify* (-pgo) -pulseaudio% (-selinux) -startup-notification -system-cairo% -system-icu% -system-jpeg% -system-sqlite -wifi" LINGUAS="en_GB -af -ak -ar -as -ast -be -bg -bn_BD -bn_IN -br -bs -ca -cs -csb -cy -da -de -el -en_ZA -eo -es_AR -es_CL -es_ES -es_MX -et -eu -fa -fi -fr -fy_NL -ga_IE -gd -gl -gu_IN -he -hi_IN -hr -hu -hy_AM -id -is -it -ja -kk -km -kn -ko -ku -lg -lt -lv -mai -mk -ml -mr -nb_NO -nl -nn_NO -nso -or -pa_IN -pl -pt_BR -pt_PT -rm -ro -ru -si -sk -sl -son -sq -sr -sv_SE -ta -ta_LK -te -th -tr -uk -vi -zh_CN -zh_TW -zu" 0 kB
[ebuild U ] net-print/foomatic-filters-4.0.17-r1 [4.0.17] USE="cups -dbus*" 0 kB
Total: 13 packages (6 upgrades, 1 new, 6 reinstalls, 1 uninstall), Size of downloads: 0 kB
Conflict: 2 blocks |
I had already rebuilt shadow after removing pam and don't have audit installed
Code: | emerge -pv shadow audit
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild N ] sys-libs/libcap-ng-0.7.3 USE="-python -static-libs" 384 kB
[ebuild R ] sys-apps/shadow-4.1.5.1-r1 USE="acl cracklib nls -audit -pam (-selinux) -skey -xattr" 0 kB
[ebuild N ] sys-process/audit-2.1.3-r1 USE="-ldap (-prelude) -python" 815 kB
Total: 3 packages (2 new, 1 reinstall), Size of downloads: 1,198 kB |
|
|
Back to top |
|
|
Anon-E-moose Watchman
Joined: 23 May 2008 Posts: 6103 Location: Dallas area
|
Posted: Thu Jan 23, 2014 8:54 pm Post subject: |
|
|
jonathan183 wrote: | depontius wrote: | Wouldn't the safe way be to put things like "-pam" and/or "-ldap" in make.conf USE flags, rebuild with "-N" to pick up the changes, then remove the packages? |
I don't think that strategy helps much ... shadow is not going to be rebuilt for system or world |
The -pam -ldap use flags would work fine for everything except sys-apps/shadow.
Not sure why that's not being picked up, something funny in the way portage sees it.
But as you showed it could be rebuilt separately.
I always test with "emerge -pv --depclean <package name>" to see what might be holding that package from being removed. _________________ PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
Back to top |
|
|
jonathan183 Guru
Joined: 13 Dec 2011 Posts: 318
|
Posted: Thu Jan 23, 2014 10:40 pm Post subject: |
|
|
Anon-E-moose wrote: | I always test with "emerge -pv --depclean <package name>" to see what might be holding that package from being removed. |
thanks Anon-E-moose - I probably should have switched to this rather than using --unmerge ... must have skipped over emerge man page
Quote: | Depclean serves as a dependency aware version of --unmerge. When given one or more atoms, it will unmerge matched packages that have no reverse dependencies. Use --depclean together with --verbose to show reverse dependencies. |
|
|
Back to top |
|
|
jonathan183 Guru
Joined: 13 Dec 2011 Posts: 318
|
Posted: Fri Jan 24, 2014 12:21 am Post subject: |
|
|
How about removal of acl
and USE flags -acl -xattr -sendmail -cxx |
|
Back to top |
|
|
frostschutz Advocate
Joined: 22 Feb 2005 Posts: 2977 Location: Germany
|
Posted: Fri Jan 24, 2014 12:56 am Post subject: Re: Opinions on removing PAM from a single user desktop syst |
|
|
jonathan183 wrote: | Is PAM required for a single user desktop system |
I don't use PAM. But I also don't use KDE/Gnome. Everything works fine with xdm/fluxbox. |
|
Back to top |
|
|
Anon-E-moose Watchman
Joined: 23 May 2008 Posts: 6103 Location: Dallas area
|
Posted: Fri Jan 24, 2014 1:36 am Post subject: |
|
|
jonathan183 wrote: | How about removal of acl
and USE flags -acl -xattr -sendmail -cxx |
Try "euse -I <flag>" to see what package is using it
Example:
Code: | euse -I acl
global use flags (searching: acl)
************************************************************
[+ D ] acl - Add support for Access Control Lists
Installed packages matching this USE flag:
app-admin/logrotate-3.8.7
app-arch/libarchive-3.1.2-r1
app-editors/gvim-7.3.762
app-editors/vim-7.3.762
app-editors/vim-core-7.3.762
app-misc/emelfm2-0.8.1
net-fs/samba-3.5.22
net-misc/rsync-3.0.9-r3
net-print/cups-1.5.2-r4
sys-apps/coreutils-8.21
sys-apps/sed-4.2.1-r1
sys-apps/shadow-4.1.5.1-r1
sys-devel/gettext-0.18.2
sys-fs/ntfs3g-2013.1.13
local use flags (searching: acl)
************************************************************
[+ D ] acl (app-admin/logrotate):
Installs acl support |
I don't know that you'll gain much by removing those particular flags.
I use sendmail, so removing the flag wouldn't do much in my case, as I would still use sendmail.
It might shrink executables down by a little, but that's not a given.
The major flags that affect package bloat are the ones I mentioned earlier from my make.conf file, IMO. _________________ PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6749
|
Posted: Fri Jan 24, 2014 11:46 am Post subject: |
|
|
jonathan183 wrote: | How about removal of acl
and USE flags -acl -xattr -sendmail -cxx |
-acl is fine for single-user systems. Actually you can even remove support for POSIX Access Control Lists in your kernel from the filesystems. Again, you will be careful with recompiling.
I would recommend to keep xattr and to keep/set security labels for your filesystems in the kernel: This is the new way how hardened-sources marks exceptional binaries, and this is also needed if you should ever want to run overlayfs.
sendmail is not important and up to you, but probably you want to install a MTA anyway e.g. to get errors from cron.
cxx is a heavily needed unless you build an extremely tiny embedded systems; many basic projects use c++. |
|
Back to top |
|
|
|