[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Python-Dev] PEP 594: Removing dead batteries from the standard library

2019-05-21 00:06 UTC+02:00, Christian Heimes <christian at python.org> wrote:
> On 20/05/2019 23.27, Antoine Pitrou wrote:
>> Removing the crypt module would remove support for system-standard
>> password files.  I don't understand the rationale.
> Applications *must* not access system-standard password files directly. On
> any sanely and securely configured systems, application cannot even access
> system password files like /etc/shadow. Access restrictions and system
> security policies will prevent read access. Also applications cannot assume
> that users are present in any user file. They may come from LDAP, SSSD,
> ActiveDirectory, or other sources.
> The correct way to interact with system users is to use the proper APIs,
> that are NSS (name service switch) and PAM (pluggable authentication
> modules). NSS looks up and enumerate users and groups. PAM performs password
> validation and much, much, much more. The pwd and grp modules use the
> correct APIs to interact with NSS. If you need to check or change passwords,
> you must go through PAM.

It is possible to have a modern Linux desktop system with PAM not
installed at all, and therefore not used.

Examples of packages in Gentoo Linux which have OPTIONAL dependency on PAM:
shadow, sudo, openssh, libcap, systemd, util-linux, screen, cronie,
polkit, cups, sddm, kscreenlocker, xscreensaver
(So a KDE Plasma desktop environment and its direct and indirect
dependencies can be installed without PAM.)

The suggested substitutes for spwd module, i.e. python-pam and
simpleplam, look like they would not work on a PAM-free system.

Arfrever Frehtes Taifersar Arahesis