Subject: Re: PAM proposal
To: Roland Dowdeswell <elric@imrryr.org>
From: Daniel Carosone <dan@geek.com.au>
List: tech-security
Date: 05/08/2005 08:25:19
--vH3HHxf962mwD/qo
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sat, May 07, 2005 at 11:22:57AM -0400, Roland Dowdeswell wrote:
> The language describing the PAM keywords is rather confusing, so
> I will construct a table of how [our] PAM works. The four columns
> represent:
>=20
> continue:F will continue on failure
> S will continue on success
> can succeed sets the ``can succeed'' flag
=2E.. *on success*
> force deny sets the ``will be denied'' flag
=2E.. *on failure*
> requests which make it through the stack will succeed if both
> the ``can succeed'' flag is set and the ``force deny'' flag is
> not set.
>=20
> So, here is how I read our current set of keywords:
>=20
> keyword continue:F S can succeed force deny
> ------- ---------- - ----------- ----------
> required yes yes yes yes
> requisite no yes yes yes
> sufficient yes yes yes no
> optional yes yes no no
> binding yes no yes yes
At last this makes sense to me! Please add this to the documentation. =20
Well, almost: 'optional' seems like a NOP to me in this table, useless
unless it's there so the module can have some side-effects? What might
they be?
> Now, if we consider a module such as pam_nologin.so, none of
> those definitions make sense. We really want something like:
>=20
> X yes yes no yes
>=20
> which is unrepresented in the table.
Yes! Yes!
(are there other unrepresented combinations that might be useful?)
> If a system administrator naively comments out pam_unix.so, then
> anyone can log into the system at any time---so we still have a
> system which can [sort of] fail open.
We have a security system where even smart, experienced security
experts are left scratching their heads and drawing truth tables and
wondering what will really happen, even if they think they've figured
it out. That includes possibly failing open, but even if it doesn't
it is still not right.
> This, IMO, needs to be fixed. So, we can take either one of two
> paths. The first would be to come up with a PAM configuration
> syntax which has some semblence of sanity. This would diverge from
> the standards which would be unfortunate.=20
It would. There are a lot of people using this syntax, sane or
otherwise. I'd like to avoid that divergence too.
If the standards are broken beyond repair, we should diverge from them
without fear, but in doing so we should make it clear (perhaps by
using a different syntax entirely) that people used to other systems
should not expect the same behaviour here, otherwise we have a
different form of the same understanding problem.
One such change which would make it less confusing is to have two
columns for keywords, one to describe the four possible continuation
behaviours, another to describe the four possible flag-setting
behaviours. This would also inherently eliminate the 'no keyword for
the behaviour I want' cases, like above.
For example, the meanings of 'required/necessary/sufficient/optional'
are much clearer if they're only encoding the 'can succeed/force deny'
columns, and some new keywords encode the continuation behaviour.
> The other would be to
> change the semantics of a keyword or add a keyword.
>=20
> I think that it might be a better idea to just extend the current
> syntax to include an additional keyword ``neccessary'' which would
> specifically not imply any kind of sufficiency.
Yep, I like this, within the current context/syntax.
> ``Necessary'' might be a bad choice of words, but at this point I
> think that all of the words except sufficient and optional are poor
> choices...
I agree with this entirely. As I suggest above, there is too much
information encoded into a single english word. =20
If we are to diverge, either we split the encoding, or we make it more
explicit (less dependent on english interpretation).
Since I find your table quite helpful, I would be tempted to suggest
that we change the syntax to match the table and allow all
possibilities. Either by having four new columns in place of the
current 'keyword', two columns as above, or by defining a system of
names that encodes the table more directly than the english keywords,
and adding them as aliases alongside the current ones as a compatible
extension to the current syntax.
as a simple straw-man suggestion, a four-character ls-alike:
c: continue -: don't
s: can succced f: force deny
keyword c:F c:S can succeed force deny
------- --- --- ----------- ----------
required =3D ccsf yes yes yes yes
requisite =3D -csf no yes yes yes
sufficient =3D ccs- yes yes yes no
optional =3D cc-- yes yes no no
binding =3D c-sf yes no yes yes
I'm not sure this is great either, but at least I don't have to spend
several minutes thinking about the difference between 'required' and
'requisite', or 'requisite' and 'binding' each time - and worse, if
there are more keywords added, or I'm not a native English speaker.
--
Dan.
--vH3HHxf962mwD/qo
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (NetBSD)
iD8DBQFCfUBPEAVxvV4N66cRAr3zAKCGyajIfmJBMFE2eq/wxASj6DtxBwCfWAQX
sco2xHgXL8ojz55/Ff4myFA=
=IA5r
-----END PGP SIGNATURE-----
--vH3HHxf962mwD/qo--