Opinions on removing PAM from a single user desktop system

[jonathan183]

Is PAM required for a single user desktop system ... or to put it a different way if I remove PAM will I be compromising the security of the system?
If I expanded the number of users to less than 5 (all local login - one user at a time) would the answer be different?

Some of the background to my question below ...
I have been using Gentoo along with a couple of other distros (including Arch) for a few years now and have done a fresh install on a spare partition (attempting to use tripwire from a fresh install). I'm trying to get it setup the way I want which means:-
openrc for system boot with busybox mdev as the device manager
boot to command line login and use startx (when I want to use X)
IceWM as the window manager
Various applications such as firefox, claws-mail, leafpad, libreoffice, mupdf, gimp, smplayer and pcmanfm running in X.
Applications such as mplayer, links2 running using directfb. System admin cli only, cp/rsync/mv/chown/chmod/iptables etc cli only.

What I don't want - systemd, gnome, kde, xfce etc. I also don't want *kit, will suffer dbus if I must. I'll stick with mdev but if I do need to switch I'll go with eudev.
I have USE flags with most things including X disabled and will enable on a case by case base in /etc/portage/package.use.
I have sys-apps/systemd, sys-auth/consolekit, sys-auth/polkit, sys-fs/udev in /etc/portage/package.mask.

The point I have got to at the moment equery output indicates a few things requiring dbus, nothing needing polkit but pambase requiring consolekit.

Code: Select all

equery d dbus polkit consolekit pambase
 * These packages depend on dbus:
app-text/ghostscript-gpl-9.05-r1 (dbus ? sys-apps/dbus)
dev-libs/dbus-glib-0.100.2 (>=sys-apps/dbus-1.6.2)
dev-libs/glib-2.32.4-r1 (test ? >=sys-apps/dbus-1.2.14)
net-print/cups-1.6.4 (dbus ? sys-apps/dbus)
net-print/foomatic-filters-4.0.17 (sys-apps/dbus)

 * These packages depend on polkit:

 * These packages depend on consolekit:
sys-auth/pambase-20120417-r3 (consolekit ? >=sys-auth/consolekit-0.4.5_p2012[pam])

 * These packages depend on pambase:
app-admin/sudo-1.8.6_p7 (pam ? sys-auth/pambase)
net-misc/openssh-5.9_p1-r4 (pam ? >=sys-auth/pambase-20081028)
sys-apps/openrc-0.12.4 (pam ? sys-auth/pambase)
sys-apps/shadow-4.1.5.1-r1 (pam ? >=sys-auth/pambase-20120417)
sys-libs/pam-1.1.6-r2 (sys-auth/pambase)

So to drop consolekit completely it looks as though I will need to drop pam which is when I start to feel nervous, about whether this is something I should be doing.
I initially built busybox with static USE flag so it had pam support disabled ... I just had to replace a few root:video and root:audio with numeric values on /etc/mdev.conf for that ...
So ... Is pam really going to be doing much for me? are there hidden/unintended consequences I should be aware of by removing pam from the system? is there another way of removing consolekit?

Portage does not complain with the addition of -pam, I don't mind keeping all the pieces on a fresh install but don't want to compromise system security unnecessarily

[Anon-E-moose]

I run a single user desktop/server, I don't use pam, *kit, dbus and run an old version of udev.

It suffices for me. I don't have logins for the my kids, but they wouldn't use it anyway.
They do access the storage disks by way of samba (they use windows)

AFAIK you should be able to set up different user accounts without pam.

Pam is more for you don't trust completely the people who you give accounts to IMO.

[The Doctor]

I don't know of any problems. Just set your useflags, emerge -auvND world, emerge -ac and you should be good to go.

-Another happy user with -*kits, -pam, and -udev.

[miket]

Well, you *can* emerge pam without consolekit. I've just that kind of setup: I have pam but am kit-free.

[jonathan183]

Pam is more for you don't trust completely the people who you give accounts to IMO.

Could you clarify what you mean by that please.

[jonathan183]

Well, you *can* emerge pam without consolekit. I've just that kind of setup: I have pam but am kit-free.

IUSE consolekit in ebuild put me off trying to do that ...

[xaviermiller]

Hello,

I need PAM only for pro-audio applications that need real-time scheduling, and that goes through PAM.

But without that, I could live without PAM and *kit.

[jonathan183]

I don't know of any problems. Just set your useflags, emerge -auvND world, emerge -ac and you should be good to go.

-Another happy user with -*kits, -pam, and -udev.

I'm hoping that's going to be the case

[Anon-E-moose]

Pam is more for you don't trust completely the people who you give accounts to IMO.

Could you clarify what you mean by that please.

Pam is usually used in an environment where you want to limit the ability of the users to do certain things.
Think of a business where one or two might know the root password,
but others would have limited power to do things, such as shutting down the system
or whatever they were limited to.

[jonathan183]

Pam is usually used in an environment where you want to limit the ability of the users to do certain things.
Think of a business where one or two might know the root password,
but others would have limited power to do things, such as shutting down the system
or whatever they were limited to.

I lock the root account and use sudo. I add users by name to sudoers rather than using wheel group etc. I create a separate user account for specific tasks - for example I have users for:-
admin (sudo to run emerge, tripwire, rkhunter, vimdiff without passwd and bash with a passwd... still being lazy)
kernel_builder (sudo to chown /usr/src/linux to themselves, install modules but build kernel as a regular user)
iptables_admin (sudo iptables, modprobe can start and stop firewall but not configured to access net)
email (run claws-mail to access email, able to write information to websurfer home area so links are never followed direct from email but can be copied to a temporary file)
websurfer (run firefox, links2 etc)
regular user (access to user docs & able to transfer to/from email and websurfer home areas, not able to access the net)

I have a group set up for net access. I trust myself and would trust any users I put on the system for email/websurfer/regular user - I am the only admin.
I use sg to start applications like firefox with my net access group, so any old program trying to access the net would need to know to run as my net group in order to access the net.

So I think a combination of user account, sudo and iptables allows me to secure the system. Any user on my system just needs to make their mind up if they want to access email, surf the web or write documents/view photos etc and login as the required user. The password can be the same for all three accounts they have ... just login as jonathan-email jonathan-websurfer or jonathan-user then startx is all they need to do.

I want to keep things simple, consistent and rely on the minimum complexity tools. I don't need or want gnome/kde/xfce/lxde etc, I use IceWM which looks the same and behaves the same on all the PCs I have. The toolbar and menu are configured so things are in the same place always, I can swap openoffice for libreoffice and it is in the same place & could be called the same thing.

Now if things start falling apart because I remove pam then I probably don't want to remove pam.

[Anon-E-moose]

I haven't had pam installed on my system in a very long time.
I do run lxde, but I could just as easily go with openbox and tint2 or some other panel.

I also prefer to use sudo, and anyone that I would add on my system I would trust.

So you should be able to pull pam out, without any long term problems to the system.
Some packages would need to be rebuilt, but I don't remember how many.

Code: Select all

USE="-pam -consolekit -policykit" emerge -pvuDN --with-bdeps y @world

Would give you an idea though.

Good luck.

Edit to add: this is from my /etc/make.conf

Code: Select all

-introspection -hal -bluetooth -kde -gnome -libnotify -pam -consolekit -policykit -systemd -udisks -upower -pulseaudio

Edit to add 2: It wouldn't hurt to leave pam installed, either. Just don't use it. It's your system and your choice.

[mv]

Now if things start falling apart because I remove pam then I probably don't want to remove pam.

Why do you think that removing pam changes anything in your setup? You are speaking about a single machine, not about a network where you want a centralilzed and magically distributed login or some other fancy stuff for which pam is really required, do you?

As far as I can see, nothing will change for you if you remove pam, except that your system might be even some more secure since you removed one level of unnecessary (for you) complexity. Just do not forget to run revdep-rebuild after removing pam, since otherwise you might be able to login afterwards

[The Doctor]

Actually, I think you can argue that your security will increase when you remove pam. If you don't need it, pam simply becomes another potential threat. I'm not saying there is anything wrong with it, just that if there is any security hole or exploit that is discovered you will be needlessly exposed.

[jonathan183]

OK thanks for the responses

-Another happy user with -*kits, -pam, and -udev.

Now I'm wondering what else I don't need ... how about openldap?

[PaulBredbury]

You probably don't need openldap. I don't.

[mv]

You probably don't need openldap.

This is even less needed than pam (on a single system or small home network - of course, it is different for a huge university network).

Unfortunately, the library is needed anyway if you want to make official pdf annotations (with acroread). Of course there is no technical reason for this except that adobe fails to release sane binaries.

[PaulBredbury]

Be careful when removing openldap - recompile audit, and shadow. Otherwise, can end up with broken /bin/login (provided by shadow), which is quite inconvenient to fix, since ya can't login to fix it

I think I'll symlink /bin/login to busybox, to be safer in future
Edit: Nah, busybox's login doesn't apply /etc/security/limits.d/* - when not build with PAM, anyway.

[depontius]

Wouldn't the safe way be to put things like "-pam" and/or "-ldap" in make.conf USE flags, rebuild with "-N" to pick up the changes, then remove the packages?

[jonathan183]

Wouldn't the safe way be to put things like "-pam" and/or "-ldap" in make.conf USE flags, rebuild with "-N" to pick up the changes, then remove the packages?

I don't think that strategy helps much ... shadow is not going to be rebuilt for system or world

Code: Select all

emerge -pvDN system

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R    ] net-misc/openssh-6.4_p1-r1  USE="hpn tcpd -X -X509 -bindist -kerberos -ldap* -ldns -libedit -pam (-selinux) -skey -static" 0 kB

Total: 1 package (1 reinstall), Size of downloads: 0 kB

emerge -pvDN world

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R    ] net-misc/curl-7.34.0-r1  USE="ssl threads -adns -idn -ipv6 -kerberos -ldap* -metalink -rtmp -ssh -static-libs {-test}" CURL_SSL="openssl -axtls -cyassl -gnutls -nss -polarssl" 0 kB
[ebuild     U  ] media-libs/harfbuzz-0.9.23:0/0.9.18 [0.9.12:0/0] USE="cairo%* glib%* graphite%* icu%* truetype%* -introspection% -static-libs" 0 kB
[ebuild     U  ] x11-libs/pango-1.34.1 [1.30.1] USE="X -debug -introspection*" 0 kB
[ebuild   R    ] app-admin/sudo-1.8.6_p7  USE="nls sendmail -ldap* -offensive -pam (-selinux) -skey" 0 kB
[ebuild   R    ] app-crypt/gnupg-2.0.22  USE="bzip2 nls readline usb -adns -doc -ldap* -mta (-selinux) -smartcard -static" 0 kB
[ebuild  rR    ] media-libs/openjpeg-1.5.1  USE="-doc -static-libs {-test}" 0 kB
[ebuild  N     ] dev-libs/libusbx-1.0.17:1  USE="-debug -doc -examples -static-libs {-test} -udev" 0 kB
[uninstall     ] dev-libs/libusb-1.0.9:1  USE="-debug -doc -static-libs" 
[blocks b      ] dev-libs/libusbx:1 ("dev-libs/libusbx:1" is blocking dev-libs/libusb-1.0.9)
[blocks b      ] dev-libs/libusb:1 ("dev-libs/libusb:1" is blocking dev-libs/libusbx-1.0.17)
[ebuild     U  ] virtual/libusb-1-r1:1 [1:1] 0 kB
[ebuild   R    ] net-print/cups-1.6.4  USE="acl filters gnutls ssl threads usb -X -dbus -debug -java -kerberos -lprng-compat -pam* -python (-selinux) -static-libs -xinetd -zeroconf" LINGUAS="-ca -es -fr -ja -ru" PYTHON_SINGLE_TARGET="python2_7 -python2_6" PYTHON_TARGETS="python2_7 -python2_6" 0 kB
[ebuild     U  ] x11-libs/gtk+-2.24.22:2 [2.24.17:2] USE="cups (-aqua) -debug -examples -introspection* {-test} -vim-syntax -xinerama" 0 kB
[ebuild   R    ] mail-client/claws-mail-3.9.0  USE="crypt imap session spell ssl -bogofilter -dbus -dillo -doc -ipv6 -ldap* -nntp -pda -smime -spamassassin -startup-notification -xface" 0 kB
[ebuild     U  ] www-client/firefox-24.1.1 [17.0.9] USE="alsa jit minimal -bindist -custom-cflags -custom-optimization -dbus -debug -gstreamer -libnotify* (-pgo) -pulseaudio% (-selinux) -startup-notification -system-cairo% -system-icu% -system-jpeg% -system-sqlite -wifi" LINGUAS="en_GB -af -ak -ar -as -ast -be -bg -bn_BD -bn_IN -br -bs -ca -cs -csb -cy -da -de -el -en_ZA -eo -es_AR -es_CL -es_ES -es_MX -et -eu -fa -fi -fr -fy_NL -ga_IE -gd -gl -gu_IN -he -hi_IN -hr -hu -hy_AM -id -is -it -ja -kk -km -kn -ko -ku -lg -lt -lv -mai -mk -ml -mr -nb_NO -nl -nn_NO -nso -or -pa_IN -pl -pt_BR -pt_PT -rm -ro -ru -si -sk -sl -son -sq -sr -sv_SE -ta -ta_LK -te -th -tr -uk -vi -zh_CN -zh_TW -zu" 0 kB
[ebuild     U  ] net-print/foomatic-filters-4.0.17-r1 [4.0.17] USE="cups -dbus*" 0 kB

Total: 13 packages (6 upgrades, 1 new, 6 reinstalls, 1 uninstall), Size of downloads: 0 kB
Conflict: 2 blocks

I had already rebuilt shadow after removing pam and don't have audit installed

Code: Select all

emerge -pv shadow audit

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild  N     ] sys-libs/libcap-ng-0.7.3  USE="-python -static-libs" 384 kB
[ebuild   R    ] sys-apps/shadow-4.1.5.1-r1  USE="acl cracklib nls -audit -pam (-selinux) -skey -xattr" 0 kB
[ebuild  N     ] sys-process/audit-2.1.3-r1  USE="-ldap (-prelude) -python" 815 kB

Total: 3 packages (2 new, 1 reinstall), Size of downloads: 1,198 kB

[Anon-E-moose]

Wouldn't the safe way be to put things like "-pam" and/or "-ldap" in make.conf USE flags, rebuild with "-N" to pick up the changes, then remove the packages?

I don't think that strategy helps much ... shadow is not going to be rebuilt for system or world

The -pam -ldap use flags would work fine for everything except sys-apps/shadow.

Not sure why that's not being picked up, something funny in the way portage sees it.

But as you showed it could be rebuilt separately.


I always test with "emerge -pv --depclean <package name>" to see what might be holding that package from being removed.

[jonathan183]

I always test with "emerge -pv --depclean <package name>" to see what might be holding that package from being removed.

thanks Anon-E-moose - I probably should have switched to this rather than using --unmerge ... must have skipped over emerge man page

Depclean serves as a dependency aware version of --unmerge. When given one or more atoms, it will unmerge matched packages that have no reverse dependencies. Use --depclean together with --verbose to show reverse dependencies.

[jonathan183]

How about removal of acl
and USE flags -acl -xattr -sendmail -cxx

[frostschutz]

Is PAM required for a single user desktop system

I don't use PAM. But I also don't use KDE/Gnome. Everything works fine with xdm/fluxbox.

[Anon-E-moose]

How about removal of acl
and USE flags -acl -xattr -sendmail -cxx

Try "euse -I <flag>" to see what package is using it

Example:

Code: Select all

euse -I acl
global use flags (searching: acl)
************************************************************
[+  D   ] acl - Add support for Access Control Lists

Installed packages matching this USE flag: 
app-admin/logrotate-3.8.7
app-arch/libarchive-3.1.2-r1
app-editors/gvim-7.3.762
app-editors/vim-7.3.762
app-editors/vim-core-7.3.762
app-misc/emelfm2-0.8.1
net-fs/samba-3.5.22
net-misc/rsync-3.0.9-r3
net-print/cups-1.5.2-r4
sys-apps/coreutils-8.21
sys-apps/sed-4.2.1-r1
sys-apps/shadow-4.1.5.1-r1
sys-devel/gettext-0.18.2
sys-fs/ntfs3g-2013.1.13

local use flags (searching: acl)
************************************************************
[+  D   ] acl (app-admin/logrotate):
Installs acl support

I don't know that you'll gain much by removing those particular flags.

I use sendmail, so removing the flag wouldn't do much in my case, as I would still use sendmail.
It might shrink executables down by a little, but that's not a given.

The major flags that affect package bloat are the ones I mentioned earlier from my make.conf file, IMO.

[mv]

How about removal of acl
and USE flags -acl -xattr -sendmail -cxx

-acl is fine for single-user systems. Actually you can even remove support for POSIX Access Control Lists in your kernel from the filesystems. Again, you will be careful with recompiling.
I would recommend to keep xattr and to keep/set security labels for your filesystems in the kernel: This is the new way how hardened-sources marks exceptional binaries, and this is also needed if you should ever want to run overlayfs.
sendmail is not important and up to you, but probably you want to install a MTA anyway e.g. to get errors from cron.
cxx is a heavily needed unless you build an extremely tiny embedded systems; many basic projects use c++.