Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Opinions on removing PAM from a single user desktop system
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo
View previous topic :: View next topic  
Author Message
jonathan183
Guru
Guru


Joined: 13 Dec 2011
Posts: 318

PostPosted: Mon Jan 20, 2014 12:47 am    Post subject: Opinions on removing PAM from a single user desktop system Reply with quote

Is PAM required for a single user desktop system ... or to put it a different way if I remove PAM will I be compromising the security of the system?
If I expanded the number of users to less than 5 (all local login - one user at a time) would the answer be different?

Some of the background to my question below ...
I have been using Gentoo along with a couple of other distros (including Arch) for a few years now and have done a fresh install on a spare partition (attempting to use tripwire from a fresh install). I'm trying to get it setup the way I want which means:-
openrc for system boot with busybox mdev as the device manager
boot to command line login and use startx (when I want to use X)
IceWM as the window manager
Various applications such as firefox, claws-mail, leafpad, libreoffice, mupdf, gimp, smplayer and pcmanfm running in X.
Applications such as mplayer, links2 running using directfb. System admin cli only, cp/rsync/mv/chown/chmod/iptables etc cli only.

What I don't want - systemd, gnome, kde, xfce etc. I also don't want *kit, will suffer dbus if I must. I'll stick with mdev but if I do need to switch I'll go with eudev.
I have USE flags with most things including X disabled and will enable on a case by case base in /etc/portage/package.use.
I have sys-apps/systemd, sys-auth/consolekit, sys-auth/polkit, sys-fs/udev in /etc/portage/package.mask.

The point I have got to at the moment equery output indicates a few things requiring dbus, nothing needing polkit but pambase requiring consolekit.
Code:
equery d dbus polkit consolekit pambase
 * These packages depend on dbus:
app-text/ghostscript-gpl-9.05-r1 (dbus ? sys-apps/dbus)
dev-libs/dbus-glib-0.100.2 (>=sys-apps/dbus-1.6.2)
dev-libs/glib-2.32.4-r1 (test ? >=sys-apps/dbus-1.2.14)
net-print/cups-1.6.4 (dbus ? sys-apps/dbus)
net-print/foomatic-filters-4.0.17 (sys-apps/dbus)

 * These packages depend on polkit:

 * These packages depend on consolekit:
sys-auth/pambase-20120417-r3 (consolekit ? >=sys-auth/consolekit-0.4.5_p2012[pam])

 * These packages depend on pambase:
app-admin/sudo-1.8.6_p7 (pam ? sys-auth/pambase)
net-misc/openssh-5.9_p1-r4 (pam ? >=sys-auth/pambase-20081028)
sys-apps/openrc-0.12.4 (pam ? sys-auth/pambase)
sys-apps/shadow-4.1.5.1-r1 (pam ? >=sys-auth/pambase-20120417)
sys-libs/pam-1.1.6-r2 (sys-auth/pambase)


So to drop consolekit completely it looks as though I will need to drop pam which is when I start to feel nervous, about whether this is something I should be doing.
I initially built busybox with static USE flag so it had pam support disabled ... I just had to replace a few root:video and root:audio with numeric values on /etc/mdev.conf for that ...
So ... Is pam really going to be doing much for me? are there hidden/unintended consequences I should be aware of by removing pam from the system? is there another way of removing consolekit?

Portage does not complain with the addition of -pam, I don't mind keeping all the pieces on a fresh install but don't want to compromise system security unnecessarily ;)
Back to top
View user's profile Send private message
Anon-E-moose
Watchman
Watchman


Joined: 23 May 2008
Posts: 6095
Location: Dallas area

PostPosted: Mon Jan 20, 2014 1:29 am    Post subject: Reply with quote

I run a single user desktop/server, I don't use pam, *kit, dbus and run an old version of udev.

It suffices for me. I don't have logins for the my kids, but they wouldn't use it anyway.
They do access the storage disks by way of samba (they use windows)

AFAIK you should be able to set up different user accounts without pam.

Pam is more for you don't trust completely the people who you give accounts to IMO.
_________________
PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland
Back to top
View user's profile Send private message
The Doctor
Moderator
Moderator


Joined: 27 Jul 2010
Posts: 2678

PostPosted: Mon Jan 20, 2014 1:35 am    Post subject: Reply with quote

I don't know of any problems. Just set your useflags, emerge -auvND world, emerge -ac and you should be good to go.

-Another happy user with -*kits, -pam, and -udev.
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.
Back to top
View user's profile Send private message
miket
Guru
Guru


Joined: 28 Apr 2007
Posts: 483
Location: Gainesville, FL, USA

PostPosted: Mon Jan 20, 2014 4:55 am    Post subject: Reply with quote

Well, you *can* emerge pam without consolekit. I've just that kind of setup: I have pam but am kit-free.
Back to top
View user's profile Send private message
jonathan183
Guru
Guru


Joined: 13 Dec 2011
Posts: 318

PostPosted: Mon Jan 20, 2014 8:41 pm    Post subject: Reply with quote

Anon-E-moose wrote:
Pam is more for you don't trust completely the people who you give accounts to IMO.

Could you clarify what you mean by that please.
Back to top
View user's profile Send private message
jonathan183
Guru
Guru


Joined: 13 Dec 2011
Posts: 318

PostPosted: Mon Jan 20, 2014 8:44 pm    Post subject: Reply with quote

miket wrote:
Well, you *can* emerge pam without consolekit. I've just that kind of setup: I have pam but am kit-free.

IUSE consolekit in ebuild put me off trying to do that ...
Back to top
View user's profile Send private message
xaviermiller
Bodhisattva
Bodhisattva


Joined: 23 Jul 2004
Posts: 8706
Location: ~Brussels - Belgique

PostPosted: Mon Jan 20, 2014 8:49 pm    Post subject: Reply with quote

Hello,

I need PAM only for pro-audio applications that need real-time scheduling, and that goes through PAM.

But without that, I could live without PAM and *kit.
_________________
Kind regards,
Xavier Miller
Back to top
View user's profile Send private message
jonathan183
Guru
Guru


Joined: 13 Dec 2011
Posts: 318

PostPosted: Mon Jan 20, 2014 8:51 pm    Post subject: Reply with quote

The Doctor wrote:
I don't know of any problems. Just set your useflags, emerge -auvND world, emerge -ac and you should be good to go.

-Another happy user with -*kits, -pam, and -udev.
I'm hoping that's going to be the case 8)
Back to top
View user's profile Send private message
Anon-E-moose
Watchman
Watchman


Joined: 23 May 2008
Posts: 6095
Location: Dallas area

PostPosted: Mon Jan 20, 2014 10:13 pm    Post subject: Reply with quote

jonathan183 wrote:
Anon-E-moose wrote:
Pam is more for you don't trust completely the people who you give accounts to IMO.

Could you clarify what you mean by that please.


Pam is usually used in an environment where you want to limit the ability of the users to do certain things.
Think of a business where one or two might know the root password,
but others would have limited power to do things, such as shutting down the system
or whatever they were limited to.
_________________
PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland
Back to top
View user's profile Send private message
jonathan183
Guru
Guru


Joined: 13 Dec 2011
Posts: 318

PostPosted: Tue Jan 21, 2014 12:45 am    Post subject: Reply with quote

Anon-E-moose wrote:
Pam is usually used in an environment where you want to limit the ability of the users to do certain things.
Think of a business where one or two might know the root password,
but others would have limited power to do things, such as shutting down the system
or whatever they were limited to.

I lock the root account and use sudo. I add users by name to sudoers rather than using wheel group etc. I create a separate user account for specific tasks - for example I have users for:-
admin (sudo to run emerge, tripwire, rkhunter, vimdiff without passwd and bash with a passwd... still being lazy)
kernel_builder (sudo to chown /usr/src/linux to themselves, install modules but build kernel as a regular user)
iptables_admin (sudo iptables, modprobe can start and stop firewall but not configured to access net)
email (run claws-mail to access email, able to write information to websurfer home area so links are never followed direct from email but can be copied to a temporary file)
websurfer (run firefox, links2 etc)
regular user (access to user docs & able to transfer to/from email and websurfer home areas, not able to access the net)

I have a group set up for net access. I trust myself and would trust any users I put on the system for email/websurfer/regular user - I am the only admin.
I use sg to start applications like firefox with my net access group, so any old program trying to access the net would need to know to run as my net group in order to access the net.

So I think a combination of user account, sudo and iptables allows me to secure the system. Any user on my system just needs to make their mind up if they want to access email, surf the web or write documents/view photos etc and login as the required user. The password can be the same for all three accounts they have ... just login as jonathan-email jonathan-websurfer or jonathan-user then startx is all they need to do.

I want to keep things simple, consistent and rely on the minimum complexity tools. I don't need or want gnome/kde/xfce/lxde etc, I use IceWM which looks the same and behaves the same on all the PCs I have. The toolbar and menu are configured so things are in the same place always, I can swap openoffice for libreoffice and it is in the same place & could be called the same thing.

Now if things start falling apart because I remove pam then I probably don't want to remove pam.
Back to top
View user's profile Send private message
Anon-E-moose
Watchman
Watchman


Joined: 23 May 2008
Posts: 6095
Location: Dallas area

PostPosted: Tue Jan 21, 2014 10:32 am    Post subject: Reply with quote

I haven't had pam installed on my system in a very long time.
I do run lxde, but I could just as easily go with openbox and tint2 or some other panel.

I also prefer to use sudo, and anyone that I would add on my system I would trust.

So you should be able to pull pam out, without any long term problems to the system.
Some packages would need to be rebuilt, but I don't remember how many.

Code:
USE="-pam -consolekit -policykit" emerge -pvuDN --with-bdeps y @world


Would give you an idea though.

Good luck.

Edit to add: this is from my /etc/make.conf
Code:
-introspection -hal -bluetooth -kde -gnome -libnotify -pam -consolekit -policykit -systemd -udisks -upower -pulseaudio


Edit to add 2: It wouldn't hurt to leave pam installed, either. Just don't use it. It's your system and your choice.
_________________
PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6747

PostPosted: Tue Jan 21, 2014 5:30 pm    Post subject: Reply with quote

jonathan183 wrote:
Now if things start falling apart because I remove pam then I probably don't want to remove pam.

Why do you think that removing pam changes anything in your setup? You are speaking about a single machine, not about a network where you want a centralilzed and magically distributed login or some other fancy stuff for which pam is really required, do you?

As far as I can see, nothing will change for you if you remove pam, except that your system might be even some more secure since you removed one level of unnecessary (for you) complexity. Just do not forget to run revdep-rebuild after removing pam, since otherwise you might be able to login afterwards :wink:
Back to top
View user's profile Send private message
The Doctor
Moderator
Moderator


Joined: 27 Jul 2010
Posts: 2678

PostPosted: Tue Jan 21, 2014 5:39 pm    Post subject: Reply with quote

Actually, I think you can argue that your security will increase when you remove pam. If you don't need it, pam simply becomes another potential threat. I'm not saying there is anything wrong with it, just that if there is any security hole or exploit that is discovered you will be needlessly exposed.
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.
Back to top
View user's profile Send private message
jonathan183
Guru
Guru


Joined: 13 Dec 2011
Posts: 318

PostPosted: Wed Jan 22, 2014 8:20 pm    Post subject: Reply with quote

OK thanks for the responses
The Doctor wrote:
-Another happy user with -*kits, -pam, and -udev.

Now I'm wondering what else I don't need ... how about openldap?
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Thu Jan 23, 2014 10:06 am    Post subject: Reply with quote

You probably don't need openldap. I don't.
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6747

PostPosted: Thu Jan 23, 2014 1:16 pm    Post subject: Reply with quote

PaulBredbury wrote:
You probably don't need openldap.

This is even less needed than pam (on a single system or small home network - of course, it is different for a huge university network).

Unfortunately, the library is needed anyway if you want to make official pdf annotations (with acroread). Of course there is no technical reason for this except that adobe fails to release sane binaries.
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Thu Jan 23, 2014 5:16 pm    Post subject: Reply with quote

Be careful when removing openldap - recompile audit, and shadow. Otherwise, can end up with broken /bin/login (provided by shadow), which is quite inconvenient to fix, since ya can't login to fix it ;)

I think I'll symlink /bin/login to busybox, to be safer in future :)
Edit: Nah, busybox's login doesn't apply /etc/security/limits.d/* - when not build with PAM, anyway.


Last edited by PaulBredbury on Sat Jan 25, 2014 10:19 am; edited 2 times in total
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3509

PostPosted: Thu Jan 23, 2014 6:38 pm    Post subject: Reply with quote

Wouldn't the safe way be to put things like "-pam" and/or "-ldap" in make.conf USE flags, rebuild with "-N" to pick up the changes, then remove the packages?
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
jonathan183
Guru
Guru


Joined: 13 Dec 2011
Posts: 318

PostPosted: Thu Jan 23, 2014 8:10 pm    Post subject: Reply with quote

depontius wrote:
Wouldn't the safe way be to put things like "-pam" and/or "-ldap" in make.conf USE flags, rebuild with "-N" to pick up the changes, then remove the packages?


I don't think that strategy helps much ... shadow is not going to be rebuilt for system or world
Code:
emerge -pvDN system

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R    ] net-misc/openssh-6.4_p1-r1  USE="hpn tcpd -X -X509 -bindist -kerberos -ldap* -ldns -libedit -pam (-selinux) -skey -static" 0 kB

Total: 1 package (1 reinstall), Size of downloads: 0 kB

emerge -pvDN world

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R    ] net-misc/curl-7.34.0-r1  USE="ssl threads -adns -idn -ipv6 -kerberos -ldap* -metalink -rtmp -ssh -static-libs {-test}" CURL_SSL="openssl -axtls -cyassl -gnutls -nss -polarssl" 0 kB
[ebuild     U  ] media-libs/harfbuzz-0.9.23:0/0.9.18 [0.9.12:0/0] USE="cairo%* glib%* graphite%* icu%* truetype%* -introspection% -static-libs" 0 kB
[ebuild     U  ] x11-libs/pango-1.34.1 [1.30.1] USE="X -debug -introspection*" 0 kB
[ebuild   R    ] app-admin/sudo-1.8.6_p7  USE="nls sendmail -ldap* -offensive -pam (-selinux) -skey" 0 kB
[ebuild   R    ] app-crypt/gnupg-2.0.22  USE="bzip2 nls readline usb -adns -doc -ldap* -mta (-selinux) -smartcard -static" 0 kB
[ebuild  rR    ] media-libs/openjpeg-1.5.1  USE="-doc -static-libs {-test}" 0 kB
[ebuild  N     ] dev-libs/libusbx-1.0.17:1  USE="-debug -doc -examples -static-libs {-test} -udev" 0 kB
[uninstall     ] dev-libs/libusb-1.0.9:1  USE="-debug -doc -static-libs"
[blocks b      ] dev-libs/libusbx:1 ("dev-libs/libusbx:1" is blocking dev-libs/libusb-1.0.9)
[blocks b      ] dev-libs/libusb:1 ("dev-libs/libusb:1" is blocking dev-libs/libusbx-1.0.17)
[ebuild     U  ] virtual/libusb-1-r1:1 [1:1] 0 kB
[ebuild   R    ] net-print/cups-1.6.4  USE="acl filters gnutls ssl threads usb -X -dbus -debug -java -kerberos -lprng-compat -pam* -python (-selinux) -static-libs -xinetd -zeroconf" LINGUAS="-ca -es -fr -ja -ru" PYTHON_SINGLE_TARGET="python2_7 -python2_6" PYTHON_TARGETS="python2_7 -python2_6" 0 kB
[ebuild     U  ] x11-libs/gtk+-2.24.22:2 [2.24.17:2] USE="cups (-aqua) -debug -examples -introspection* {-test} -vim-syntax -xinerama" 0 kB
[ebuild   R    ] mail-client/claws-mail-3.9.0  USE="crypt imap session spell ssl -bogofilter -dbus -dillo -doc -ipv6 -ldap* -nntp -pda -smime -spamassassin -startup-notification -xface" 0 kB
[ebuild     U  ] www-client/firefox-24.1.1 [17.0.9] USE="alsa jit minimal -bindist -custom-cflags -custom-optimization -dbus -debug -gstreamer -libnotify* (-pgo) -pulseaudio% (-selinux) -startup-notification -system-cairo% -system-icu% -system-jpeg% -system-sqlite -wifi" LINGUAS="en_GB -af -ak -ar -as -ast -be -bg -bn_BD -bn_IN -br -bs -ca -cs -csb -cy -da -de -el -en_ZA -eo -es_AR -es_CL -es_ES -es_MX -et -eu -fa -fi -fr -fy_NL -ga_IE -gd -gl -gu_IN -he -hi_IN -hr -hu -hy_AM -id -is -it -ja -kk -km -kn -ko -ku -lg -lt -lv -mai -mk -ml -mr -nb_NO -nl -nn_NO -nso -or -pa_IN -pl -pt_BR -pt_PT -rm -ro -ru -si -sk -sl -son -sq -sr -sv_SE -ta -ta_LK -te -th -tr -uk -vi -zh_CN -zh_TW -zu" 0 kB
[ebuild     U  ] net-print/foomatic-filters-4.0.17-r1 [4.0.17] USE="cups -dbus*" 0 kB

Total: 13 packages (6 upgrades, 1 new, 6 reinstalls, 1 uninstall), Size of downloads: 0 kB
Conflict: 2 blocks


I had already rebuilt shadow after removing pam and don't have audit installed
Code:
emerge -pv shadow audit

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild  N     ] sys-libs/libcap-ng-0.7.3  USE="-python -static-libs" 384 kB
[ebuild   R    ] sys-apps/shadow-4.1.5.1-r1  USE="acl cracklib nls -audit -pam (-selinux) -skey -xattr" 0 kB
[ebuild  N     ] sys-process/audit-2.1.3-r1  USE="-ldap (-prelude) -python" 815 kB

Total: 3 packages (2 new, 1 reinstall), Size of downloads: 1,198 kB
Back to top
View user's profile Send private message
Anon-E-moose
Watchman
Watchman


Joined: 23 May 2008
Posts: 6095
Location: Dallas area

PostPosted: Thu Jan 23, 2014 8:54 pm    Post subject: Reply with quote

jonathan183 wrote:
depontius wrote:
Wouldn't the safe way be to put things like "-pam" and/or "-ldap" in make.conf USE flags, rebuild with "-N" to pick up the changes, then remove the packages?


I don't think that strategy helps much ... shadow is not going to be rebuilt for system or world


The -pam -ldap use flags would work fine for everything except sys-apps/shadow.

Not sure why that's not being picked up, something funny in the way portage sees it.

But as you showed it could be rebuilt separately.


I always test with "emerge -pv --depclean <package name>" to see what might be holding that package from being removed.
_________________
PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland
Back to top
View user's profile Send private message
jonathan183
Guru
Guru


Joined: 13 Dec 2011
Posts: 318

PostPosted: Thu Jan 23, 2014 10:40 pm    Post subject: Reply with quote

Anon-E-moose wrote:
I always test with "emerge -pv --depclean <package name>" to see what might be holding that package from being removed.


thanks Anon-E-moose - I probably should have switched to this rather than using --unmerge ... must have skipped over emerge man page
Quote:
Depclean serves as a dependency aware version of --unmerge. When given one or more atoms, it will unmerge matched packages that have no reverse dependencies. Use --depclean together with --verbose to show reverse dependencies.
Back to top
View user's profile Send private message
jonathan183
Guru
Guru


Joined: 13 Dec 2011
Posts: 318

PostPosted: Fri Jan 24, 2014 12:21 am    Post subject: Reply with quote

How about removal of acl
and USE flags -acl -xattr -sendmail -cxx
Back to top
View user's profile Send private message
frostschutz
Advocate
Advocate


Joined: 22 Feb 2005
Posts: 2977
Location: Germany

PostPosted: Fri Jan 24, 2014 12:56 am    Post subject: Re: Opinions on removing PAM from a single user desktop syst Reply with quote

jonathan183 wrote:
Is PAM required for a single user desktop system


I don't use PAM. But I also don't use KDE/Gnome. Everything works fine with xdm/fluxbox.
Back to top
View user's profile Send private message
Anon-E-moose
Watchman
Watchman


Joined: 23 May 2008
Posts: 6095
Location: Dallas area

PostPosted: Fri Jan 24, 2014 1:36 am    Post subject: Reply with quote

jonathan183 wrote:
How about removal of acl
and USE flags -acl -xattr -sendmail -cxx


Try "euse -I <flag>" to see what package is using it

Example:
Code:
euse -I acl
global use flags (searching: acl)
************************************************************
[+  D   ] acl - Add support for Access Control Lists

Installed packages matching this USE flag:
app-admin/logrotate-3.8.7
app-arch/libarchive-3.1.2-r1
app-editors/gvim-7.3.762
app-editors/vim-7.3.762
app-editors/vim-core-7.3.762
app-misc/emelfm2-0.8.1
net-fs/samba-3.5.22
net-misc/rsync-3.0.9-r3
net-print/cups-1.5.2-r4
sys-apps/coreutils-8.21
sys-apps/sed-4.2.1-r1
sys-apps/shadow-4.1.5.1-r1
sys-devel/gettext-0.18.2
sys-fs/ntfs3g-2013.1.13

local use flags (searching: acl)
************************************************************
[+  D   ] acl (app-admin/logrotate):
Installs acl support


I don't know that you'll gain much by removing those particular flags.

I use sendmail, so removing the flag wouldn't do much in my case, as I would still use sendmail.
It might shrink executables down by a little, but that's not a given.

The major flags that affect package bloat are the ones I mentioned earlier from my make.conf file, IMO.
_________________
PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6747

PostPosted: Fri Jan 24, 2014 11:46 am    Post subject: Reply with quote

jonathan183 wrote:
How about removal of acl
and USE flags -acl -xattr -sendmail -cxx

-acl is fine for single-user systems. Actually you can even remove support for POSIX Access Control Lists in your kernel from the filesystems. Again, you will be careful with recompiling.
I would recommend to keep xattr and to keep/set security labels for your filesystems in the kernel: This is the new way how hardened-sources marks exceptional binaries, and this is also needed if you should ever want to run overlayfs.
sendmail is not important and up to you, but probably you want to install a MTA anyway e.g. to get errors from cron.
cxx is a heavily needed unless you build an extremely tiny embedded systems; many basic projects use c++.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum