pamela
Software
skarnet.org
Building an application with pamela instead of Linux-PAM
Prerequisites
- The pamela package must have been properly built and installed;
in particular, the pamelad binary must
have been properly linked against Linux-PAM's libpam.so.
- The security/pam_appl.h header, usually installed in
/usr/include, must be a symlink to pamela's
pamela/pam.h header. This can be achieved by running
make install-symlink after make install when
building the pamela package.
- The application must strictly follow the
Linux-PAM
specification. Note that the page claims that the
pam_set_item() function is declared in security/pam_modules.h,
but it is a mistake: like every PAM function used by applications, it
is declared in security/pam_appl.h.
- The pamela headers and library must be installed, as well as the
skalibs headers and library.
Compiling
- Make sure that the pamela headers and the skalibs headers
are visible in your header search path, and that the
Linux-PAM headers are not.
- If the compilation fails, please report the issue to the
skaware mailing-list. pamela is a work in progress, and there
may be compatibility issues that still need to be fixed.
Linking
- Make sure the pamela library, as well as the skalibs
library, are visible in your library search path.
- Do not add -lpam to your linking command line.
Instead, add -lpamela -lskarnet. Depending on the
libc you're using, you may have to add -lrt too.
- It is possible to statically link a binary using pamela:
the pamela and skalibs libraries do not use any dynamic loading,
and are suitable for static linking. Only the
pamelad binary uses dynamic module
loading and needs to be dynamically linked, and that is decided
at pamela build time, not at your application's build time.
- Check your application binary's dynamic library dependencies
after it has been built. If your binary depends on libpam,
it has been incorrectly made! Your binary should depend on
libpamela and libskarnet, but not libpam.
If you have chosen to link against the static version of pamela
and skalibs, you may not even see the libpamela and
libskarnet dependencies.
Programming
- pamela strictly implements the
Linux-PAM
API
- The pam_start() function will spawn a
pamelad binary running as a child of
the application, until pam_end() is called. At that point
the zombie is reaped.
- If the pamelad binary is killed
during the PAM session, all PAM calls will return PAM_ABORT.
The application should then just exit, or call pam_end()
to free resources: nothing more can be done with the session.
Running
- If your application runs as root, you can set the
PAMELA_UID and PAMELA_GID environment variables to a non-zero
numeric uid and a nonzero numeric gid prior to running it.
The pamelad binary will then drop
its privileges and run under this uid/gid.
My application is not working with pam_foobar.so!
A pamela-type architecture can only work if modules do not try
to do anything fancy outside of the official PAM communication
channels. In particular, if it sets global state,
it will not work. PAM modules that
- modify their process' environment
- change their process' uid and gid
- change their process' namespace
- change the working directory
- or any similar action impacting global data of the process
will not, and cannot, be supported by pamela. The only
solution is to rewrite these modules so they communicate the
change they wish to make via the official PAM API, and have the
application perform the change itself. PAM provides a way to
do this: the conversation function, which exchanges data
between PAM and the application. pamela fully supports custom
conversation functions.