Re: [systemd-devel] RFC: userdb authentication protocol

2025-07-22 Thread Dominik George
Hi Erin, thanks for the feedback! > Whatever such a protocol ends up looking like, I think “you could replace > pam_systemd_home with a generic UserDB PAM module and said generic protocol” > is an important criterion Yep. Please note that I am specifically targeting the PAM auth call (and pro

[systemd-devel] why does sd-pam not run as root?

2025-07-22 Thread Dominick Grift
>From what I understand the sd-pam process is responsible for "PAM close" but it cannot do its job properly if it does not have privileges. should sd-pam always run as root? -- gpg --locate-keys dominick.gr...@defensec.nl (wkd) Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 40

Re: [systemd-devel] RFC: userdb authentication protocol

2025-07-22 Thread Thorsten Kukuk
On Mon, Jul 21, 2025 at 12:47 PM Dominik George wrote: > > Hi, > > currently, the userdb system only allows querying for User Records and > Group Records, hence providing a modern replacement for NSS. > > I would like to propose an addition to make it support authentication as > well. The addition

Re: [systemd-devel] RFC: userdb authentication protocol

2025-07-22 Thread Dominik George
Hi Thorsten, > But this is also the advantage: since it is so old, everything out > there in the world is supporting it. If you come with a systemd only > solution: there are also systems without systemd, and ISVs will not > support two solutions. So whatever you plan, make sure it can be > called

Re: [systemd-devel] RFC: userdb authentication protocol

2025-07-22 Thread Thorsten Kukuk
On Tue, Jul 22, 2025 at 9:53 AM Dominik George wrote: > > Hi Thorsten, > > > But this is also the advantage: since it is so old, everything out > > there in the world is supporting it. If you come with a systemd only > > solution: there are also systems without systemd, and ISVs will not > > suppo

Re: [systemd-devel] RFC: userdb authentication protocol

2025-07-22 Thread Dominik George
Hi Thorsten, > > I am confident you did not read my proposal. > > I did read it, but you started right from the beginning with a > technical solution without explaining the problem you want to solve. > Reverse engineering the problem from a proposal is pretty hard and > leads most of the time to

Re: [systemd-devel] why does sd-pam not run as root?

2025-07-22 Thread Dominick Grift
Dominick Grift writes: > Michal Koutný writes: > >> On Tue, Jul 22, 2025 at 06:21:28PM +0200, Dominick Grift >> wrote: >>> To be clear: >>> >>> 1. currently sd-pam does not always run as root >> >> Ah, good. >> >>> 2. when sd-pam does not run as root then it lacks permission needed to >>> do

Re: [systemd-devel] Q: Reducing systemd Userspace Boot Time Below 2 Seconds on Minimal Embedded ARM Board

2025-07-22 Thread Michal Koutný
Hello Dharma. What a challenge! On Fri, Jul 18, 2025 at 05:51:39AM +, dharm...@microchip.com wrote: > I've reviewed > systemd.io/OPTIMIZATIONS and > applied all recommendations relevant to my scenario (disabling settle > services, removing legacy storage sta

Re: [systemd-devel] RFC: userdb authentication protocol

2025-07-22 Thread Adrian Vovk
Hi all, I'm packing for travel today, so unfortunately I'm not fully read up on the thread. However, I wanted to leave a comment about this so that the conversation is informed by it There are ongoing conversations between the GDM devs, KDE/SDDM/PlasmaDM devs, and systemd upstream about "upstream

Re: [systemd-devel] why does sd-pam not run as root?

2025-07-22 Thread Michal Koutný
On Tue, Jul 22, 2025 at 06:21:28PM +0200, Dominick Grift wrote: > To be clear: > > 1. currently sd-pam does not always run as root Ah, good. > 2. when sd-pam does not run as root then it lacks permission needed to > do its job for some pam modules Such modules are frowned upon https://github.

Re: [systemd-devel] why does sd-pam not run as root?

2025-07-22 Thread Dominick Grift
Michal Koutný writes: > On Tue, Jul 22, 2025 at 06:21:28PM +0200, Dominick Grift > wrote: >> To be clear: >> >> 1. currently sd-pam does not always run as root > > Ah, good. > >> 2. when sd-pam does not run as root then it lacks permission needed to >> do its job for some pam modules > > Such

Re: [systemd-devel] why does sd-pam not run as root?

2025-07-22 Thread Dominick Grift
Michal Koutný writes: > Hello Dominick. > > On Tue, Jul 22, 2025 at 09:42:59AM +0200, Dominick Grift > wrote: >> >> From what I understand the sd-pam process is responsible for "PAM >> close" but it cannot do its job properly if it does not have privileges. > > AFAICS, sd-pam should drop privs

Re: [systemd-devel] why does sd-pam not run as root?

2025-07-22 Thread Michal Koutný
Hello Dominick. On Tue, Jul 22, 2025 at 09:42:59AM +0200, Dominick Grift wrote: > > From what I understand the sd-pam process is responsible for "PAM > close" but it cannot do its job properly if it does not have privileges. AFAICS, sd-pam should drop privs to User= of the service. > should s