2

This question is meant for general application, but I can use some specific examples to illustrate the nature of my question. When certain Linux authentication packages like krb5, sssd, or pam_pkcs11 are installed something goes into the files under the PAM configuration directory (like /etc/pam.d/system-auth and /etc/pam.d/password-auth) and will add or modify a line to point to the new .so files that were installed, like pam_krb5.so, pam_sssd.so, or pam_pkcs11.so for use.

This seems to happen automatically for certain packages without user intervention just by installing the rpm packages (with yum or directly with the rpm tool), like I've observed is the case with installing the sssd package (on RHEL 7 at least) which will add references to pam_sssd.so into the *-auth PAM files. I figured that the only way this could be possible was via the internal scripts that rpms can have, so I looked up how to list the internal scripts in the SPEC of the rpm, mounted a RHEL 7 image to peer into the source packages, and ran this inside the Packages directory:

sudo rpm --scripts -qpl sssd-* | grep -i pam

Yet I get no lines returned that would indicate that anything is touching files in the /etc/pam.d directory, even though if I remove the grep I do see results for if/then script logic doing other things, so the --scripts parameter is working.

I am also curious, in a very a particular example case, what adds this line to my /etc/pam.d/system-auth file:

auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so nodebug

If it is not an internal script to the RPMs, I was wondering if it might have been a certain binary among the newly installed files that was run initially, and that is what is responsible for adding those changes, but have not seen any evidence of that.

Furthermore, I had actually grep'd for authconfig lines in the RPM scripts as well, since I know that authconfig can do that, but didn't find anything. Yet it seems like it must be running authconfig or something equivalent in the background to do that.

Does anyone have any insights into what makes those changes?

SeligkeitIstInGott
  • 179
  • 2
  • 5
  • 19

1 Answers1

2

Quite intriguing question, I admit it.

RedHat are a massive organization, which can afford to rewrite any open source software it provides in its distributions (RHEL, CentOS). And it does it.

I decided to do an strace while installing samba on a CentOS7.3 machine, and here's what I saw (partial output):

open("/etc/pam.d/samba;593a8da8", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 47
fcntl(47, F_SETFD, FD_CLOEXEC)          = 0
umask(022)                              = 0777
write(47, "#%PAM-1.0\nauth       required\tpa"..., 177) = 177
close(47)                               = 0
ioctl(1, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
lstat("/etc/pam.d/samba", 0x7ffeed35d250) = -1 ENOENT (No such file or directory)
rename("/etc/pam.d/samba;593a8da8", "/etc/pam.d/samba") = 0
getuid()                                = 0
getuid()                                = 0
chown("/etc/pam.d/samba", 0, 0)         = 0
chmod("/etc/pam.d/samba", 0644)         = 0
utime("/etc/pam.d/samba", [2017/05/25-07:33:05, 2017/05/25-07:33:05]) = 0
getuid()

It creates the /etc/pam.d/samba file with the following contents:

#%PAM-1.0
auth       required     pam_nologin.so
auth       include      password-auth
account    include      password-auth
session    include      password-auth
password   include      password-auth

Additionally, there's a tool which can automatically update, can be used to backup and/or restore pam.d configuration files - that's authconfig. My guess is that it may be used during the installation of certain packages to update PAM configuration files. For example, part of RedHat's procedure to configure SSSD for system authentication (which includes configuring PAM) is:

Use authconfig to enable SSSD for system authentication.
# authconfig --update --enablesssd --enablesssdauth This automatically updates the PAM configuration to reference all of the

And here's the output of rpm --scripts -qpl samba-4* | grep -i pam at my testing server: /etc/pam.d/samba - which is the new file created during samba installation.

13dimitar
  • 2,508
  • 1
  • 13
  • 15
  • +1 for the strace and verifying the same situation on CentOS. That is indeed interesting to see that *write()*. This however still leaves everything largely a mystery as to what is responsible for that. Do you see anything in the samba rpm referring to that file /etc/pam.d/samba if you run rpm with the *--scripts* parameter as in my OP? And yes, you are correct about *authconfig* being the recommended tool to use, but that is obviously recommended as a post-install manual execution step, yet the mystery is what automatically adds the lines (like shown in your strace) to the /etc/pam.d files. – SeligkeitIstInGott Jun 09 '17 at 13:28
  • `sudo rpm --scripts -qpl samba-* | grep -i pam` outputs nothing – 13dimitar Jun 09 '17 at 14:46
  • I had to mount a RHEL DVD and cd to the Packages dir where the rpms were. But if you did the equivalent and still got nothing, if you remove the grep do you see anything interesting in the scripts? BTW, I found a way to prevent strace from truncating/abbreviating the output with ellipses (...) with -s strsize. This post says the default is 32 and can be increased: https://stackoverflow.com/questions/6672743/prevent-strace-from-abbreviating-arguments . I'm not sure if that would give any more insight into what the rpm is doing, but I can play with strace on my end too. – SeligkeitIstInGott Jun 09 '17 at 15:05
  • 1
    I stand corrected: `# rpm --scripts -qpl samba-4* | grep -i pam /etc/pam.d/samba` – 13dimitar Jun 12 '17 at 07:46
  • Interesting. You don't see anything like that for sssd do you? I was unsuccessful in locating something similar for sssd. – SeligkeitIstInGott Jun 13 '17 at 19:16
  • 1
    Nope, nothing for sssd. – 13dimitar Jun 14 '17 at 06:55
  • Okay, maybe I'm mistaken about sssd. – SeligkeitIstInGott Jun 14 '17 at 19:44
  • 1
    13nilux, I am awarding you the bounty for your efforts. Thank you. – SeligkeitIstInGott Jun 14 '17 at 19:45
  • @13nilux of course there is a write to /etc/pam.d/samba that file belongs to the samba package and the package manager has to create the file and fill it with the desired content. – Andreas Rogge Jul 11 '17 at 14:35