[Python-Dev] PEP 594: Removing dead batteries from the standard library
On 22/05/2019 06.20, Arfrever Frehtes Taifersar Arahesis wrote:
> 2019-05-21 00:06 UTC+02:00, Christian Heimes <christian at python.org> wrote:
>> On 20/05/2019 23.27, Antoine Pitrou wrote:
>>> Removing the crypt module would remove support for system-standard
>>> password files. I don't understand the rationale.
>> Applications *must* not access system-standard password files directly. On
>> any sanely and securely configured systems, application cannot even access
>> system password files like /etc/shadow. Access restrictions and system
>> security policies will prevent read access. Also applications cannot assume
>> that users are present in any user file. They may come from LDAP, SSSD,
>> ActiveDirectory, or other sources.
>> The correct way to interact with system users is to use the proper APIs,
>> that are NSS (name service switch) and PAM (pluggable authentication
>> modules). NSS looks up and enumerate users and groups. PAM performs password
>> validation and much, much, much more. The pwd and grp modules use the
>> correct APIs to interact with NSS. If you need to check or change passwords,
>> you must go through PAM.
> It is possible to have a modern Linux desktop system with PAM not
> installed at all, and therefore not used.
> Examples of packages in Gentoo Linux which have OPTIONAL dependency on PAM:
> shadow, sudo, openssh, libcap, systemd, util-linux, screen, cronie,
> polkit, cups, sddm, kscreenlocker, xscreensaver
> (So a KDE Plasma desktop environment and its direct and indirect
> dependencies can be installed without PAM.)
> The suggested substitutes for spwd module, i.e. python-pam and
> simpleplam, look like they would not work on a PAM-free system.
Thanks for bringing this up. I don't think we need to care about this care.
A PAM-free Linux system is an IMHO very special and exotic case. It's certainly not a setup anybody should run on a server. There are a lot of good reasons to use PAM. I'll update the BPO with reasons soonish.
By the way, the /etc/shadow shadow(5) format is trivial and can be parsed with a few lines of code. There is no need to use spwd.