Opinions on removing PAM from a single user desktop system

[jonathan183]

I don't know that you'll gain much by removing those particular flags.
...
The major flags that affect package bloat are the ones I mentioned earlier from my make.conf file, IMO.

OK thanks ... I want to avoid the bloat, minimise the potential exposure to security threats but still have a usable desktop system. The more I strip out without compromising security or loosing the functionality I use and care about the better

-acl is fine for single-user systems. Actually you can even remove support for POSIX Access Control Lists in your kernel from the filesystems. Again, you will be careful with recompiling.
I would recommend to keep xattr and to keep/set security labels for your filesystems in the kernel: This is the new way how hardened-sources marks exceptional binaries, and this is also needed if you should ever want to run overlayfs.
sendmail is not important and up to you, but probably you want to install a MTA anyway e.g. to get errors from cron.
cxx is a heavily needed unless you build an extremely tiny embedded systems; many basic projects use c++.

Thanks ... I think I'll go with -acl. I'm sure at some point I'll figure something out I actually want to use cron for ... tripwire, chkrootkit, rkhunter pull it in. If I wanted to schedule this then it would be the tool of choice, but I don't. No use flag to remove it from tripwire or rkhunter

Thanks everyone for your patience and replies

[Roman_Gruber]

Edit to add: this is from my /etc/make.conf

Code: Select all

-introspection -hal -bluetooth -kde -gnome -libnotify -pam -consolekit -policykit -systemd -udisks -upower -pulseaudio

Edit to add 2: It wouldn't hurt to leave pam installed, either. Just don't use it. It's your system and your choice.

Thanks I just try that out now.

I just saw that hal does not exists anymore on my box. I could not find it in my make.conf and also ufed does not show hal anymore. Maybe the hal useflag is already gone ...

[Chiitoo]

I just saw that hal does not exists anymore on my box. I could not find it in my make.conf and also ufed does not show hal anymore. Maybe the hal useflag is already gone ...

If I'm not horribly wrong, hal has been gone about two years now. ^^


(Also another user here with KDE/Enlightenment without pam, *kit, and the likes. For the time being, using udev, but soon going static at least as a test at first.)

[Anon-E-moose]

Yes, hal has long been gone, I just didn't clean up make.conf when it disappeared completely.
Doesn't hurt anything (on my system) so I just left it.

As always, modify those flags I use for your individual case,
ie I don't use bluetooth, so I have the flag there, if you do then of course remove it.

[PaulBredbury]

Hang on a minute!

If /bin/login isn't built with PAM, then how would /etc/security/limits.d/* get applied? Which is needed for sensible process prioritization (which 99% of users ignore, it seems).

Edit: Here's CK blog, as an interesting read.

[Anon-E-moose]

Hang on a minute!

If /bin/login isn't built with PAM, then how would /etc/security/limits.d/* get applied? Which is needed for sensible process prioritization (which 99% of users ignore, it seems).

I don't have /etc/security/limits.d/, I have /etc/security/limits.conf, which date back to jan 2013.
Not sure what installed it or why.

I've never had any problem with video playback, and I watch a fair amount of movies, anime, etc.
and don't use pam, process prioritization, etc.
If a process really needed a better priority, I would use the old standby, nice

Thus in my case no need for pam having anything to do with /bin/login

Edit to add: I do use zen patches and BFS for my scheduler. Don't know if that makes a difference re. prioritization.

[PaulBredbury]

I would use the old standby, nice

Well, of course. The point is that it is very convenient for a user to be able to set a negative niceness, for the convenient setting of relative priorities, since the default is of course a niceness of zero.

These settings show their usefulness when the system is under load.

[mv]

If /bin/login isn't built with PAM, then how would /etc/security/limits.d/* get applied?

Without PAM the file is called /etc/limits and is interpreted directly by sys-apps/shadow.

[mv]

These settings show their usefulness when the system is under load.

The limits have nothing to do whether you have pam or not - it is just a question how you specify it.
However, in any case I would not allow a default priority lower than 0 since this is even lower than system tasks which should react on IRQs etc. It is really dangerous to do this. If you want to view movies (on a single-user system) when the system is under load it is better to give your other tasks a lower priority - but usually nothing helps anyway because the hangs are not caused by priority questions but by io things which you cannot control reasonably (e.g. I have a laptop where nothing runs when it flushes to disk - the disk just blocks the processor completely). In an emergency case you can still use sudo to set negative nice values, but as said: In my experience it helps nothing and can do harm. On a multiuser system I would not give any user permission to set negative priority, anyway.

[PaulBredbury]

/etc/limits

Thanks. According to shadow's README.limits file, there's no way to let the user set a negative niceness

E.g. in /etc/security/limits.d/91-limits.conf:

Code: Select all

myusername       -       nice        -8

So it looks like I need /bin/login linked to PAM.

even lower than system tasks which should react on IRQs

Are you sure? This shows a lot of kernel processes running at a niceness of -20:

Code: Select all

ps -eo pid,rtprio,nice,policy,ruser,rgroup,comm,args

You say it's "dangerous", yet I've been doing this for years without seeing adverse effects

Edit: Just to make things a bit clearer: -20 takes priority over -8

[Anon-E-moose]

Bottom line,
Can one have a nice responsive system with pam? Yes
Can one have a nice responsive system without pam? Yes

Use what you like, what fits your needs, and the way you like your system.

I know that not only is my hardware different than many others,
including things like turning off changing cpu frequency, etc,
but I do things a completely different way.
I boot up into console mode, then use startx. I usually run my emerges from the console, etc.

So everyone's system is different even if they were using the same hardware.

Use what works for you, though I do like hearing of the way different people run their system and why.
If it looks good enough, for me, I might change the way that I run my own system.

[mv]

/etc/limits

Thanks. According to shadow's README.limits file, there's no way to let the user set a negative niceness

Maybe; I have never tried. As I said, a negative value is usually not a good idea since normally you do not want to interfere with kernel processes. Concerning other processes only the relative value is important. If you really want to allow it for a particular program, it is probably safer to set a sudo exception.

Are you sure? This shows a lot of kernel processes running at a niceness of -20:

So you probably do not want to decrease the ratio to them to slow these down relatively.

You say it's "dangerous", yet I've been doing this for years without seeing adverse effects

I guess this can all depend on your hardware. It is probably hard to predict what happens if your system reacts too slow on certain hardware IRQs. When you are burning a dvd, it is clear what is happening. I would guess that you can similarly e.g. wear your harddisk more than necessary, but I am not a hardware expert.

[PaulBredbury]

So you probably do not want to decrease the ratio to them to slow these down relatively.

What? Where's the sense in what you're saying?

These niceness levels exist so that they can be used, and altered. And I do. The kernel doesn't panic, files don't get corrupted, wi-fi stays up and reliable. Why are you scaremongering?

I'm using this e.g. to state, quite deliberately, that the CPU should give priority to e.g. a music player and especially a video player, over the "normal" CPU processes (i.e. the processes which are niceness zero). It's that simple.

Burning a DVD is a special case (haven't done it for a while, not sure if it's still realtime-critical with e.g. "burnfree"), and I would give that a negative niceness too (and use ionice), as appropriate.

[mv]

These niceness levels exist so that they can be used

And there is a reason that the default lowest niceness for a normal user is 0 and not -20

The kernel doesn't panic, files don't get corrupted, wi-fi stays up and reliable.

Maybe it does, but maybe there is considerable more delay (e.g. a need to retransfer packets or even reestablish some connection) than usual. Does saving a few milliseconds by slowing down basic kernel tasks really improve your experience when watching videos? I mean:

give priority to e.g. a music player and especially a video player, over the "normal" CPU processes (i.e. the processes which are niceness zero).

Why do you start your "normal" processes at lowest possible niceness in the first place? Starting your shell (and thus everything else) with a higher niceness by default won't hurt you with a low load, and giving niceness 0 to a process is then practically the same as giving a negative niceness, except that you are saver from interfering with really basic tasks: Instead of decreasing niceness of video, it is probably better to increase niceness of the rest. (Of course, you can also do this only at the moment when you decide that you want to watch a video and observe that it is too slow).

[PaulBredbury]

there is a reason that the default lowest niceness for a normal user is 0 and not -20

I am not interfering with the kernel's high-priority threads (although we can if we want). I use -8 as my highest user priority, that's all. It gives me plenty of scale.

a few milliseconds

There's only 16 milliseconds per frame, at 60fps. So yeah, the kernel should wait. There is no disadvantage in such prioritization!

Why do you start your "normal" processes at lowest possible niceness in the first place?

I don't. Whatever gives you that idea?

Here's some more examples, for those interested.

[jonathan183]

My understanding is pam is for user authentication ... so if I want to authenticate users using a fingerprint reader or some other method then pam might help me out.
If I have a problem with system responsiveness then I don't think pam is the answer ... and if removing pam makes my system unresponsive then I will look at how to resolve this, re-installing pam would not be my first approach.

If it's not installed then it can't leak, break or be incorrectly configured ...

[mv]

My understanding is pam is for user authentication ...

Yes, it is. However pam's /etc/security/... is a little bit more fine-grained than /etc/limits.conf; the case of negative maximal niceness just discussed is only one of several minor differences; a default niceness is another one; the possibiity to avoid things like suxs or sudox to pass X authorization is yet another extension which you get only with pam; also some screenlockers have decided to rely only on pam and not any "manual" authentification method. So in some cases, pam really has advantages.
On the other hand, all these conveniences come at the price of introducing an already rather complex layer.
If you play this game to the extreme, you end up with polkit: Convenience everywhere, but due to the complexity you can almost expect that your system is vulnerable. Only running everything directly as root is even more convenient and only slightly less secure

[mv]

Here's some more examples, for those interested.

Wasn't there a daemon which would automatically set the niceness based on the process name and a configurable list? (Maybe it was app-admin/verynice?) This could be something for you.
I never cared too much about it since in my experience changes in niceness did not have a remarkable influence on the performance: On my slower machines, RAM is the bottleneck so e.g. compiling gcc in the background makes the machine almost unusable even with highest nice and ionice, and my faster machines are so fast that I do not observe any disturbing slowdown when viewing video except on a view occassions when the harddisk becomes the bottleneck.

[PaulBredbury]

I noted verynice, but didn't bother trying it, because I don't need/want a daemon. Sensible defaults for nice & ionice work fine