finit icon indicating copy to clipboard operation
finit copied to clipboard
verified publisher icon troglobit

Could a finit service run with a specific PAM config?

Open liuming50 opened this issue 1 year ago • 7 comments

Our company is considering involve in PAM (https://en.wikipedia.org/wiki/Linux_PAM) in our system and we are using finit as init manager.

Could it be possible we run a service/task under a specific PAM config? For instance, in systemd, it has a PAMName support, if we set it in weston.service:

PAMName=weston-autologin

it will look for /etc/pam.d/weston-autologin:

auth      required  pam_nologin.so
auth      required  pam_unix.so     try_first_pass nullok

account   required  pam_nologin.so
account   required  pam_unix.so

session   required  pam_env.so
session   required  pam_unix.so
-session  optional  pam_systemd.so type=wayland class=user desktop=weston
-session  optional  pam_loginuid.so

and set the permission controls for weston service.

Would finit like to support this or is there a plan for supporting it?

liuming50 avatar Dec 09 '24 08:12 liuming50

First, there is nothing planned wrt. this.

Second, even though I just skimmed through the systemd docs on the topic, how do you imagine this all working? In systemd they fork off a (sd-pam) service for each unit that has this directive, and it seems "the main unit process will be migrated to its own session scope unit" -- I don't understand what that means? It's confusing to read and just seems like a lot of added complexity. What is the benefit of having Finit support when the process can call pam_start(3) with the weston-autologin service?

troglobit avatar Dec 09 '24 13:12 troglobit

I had a chat recently with a colleague who got intrigued by this idea. Even though I still cannot see it, he usually has his wits about him, and I'm curious to understand how this could be added to Finit and what it could improve for users. So please explain a bit more if you can.

troglobit avatar Feb 13 '25 05:02 troglobit

@troglobit

Thanks for the reply.

What I was asking basically is this feature in systemd: https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#PAMName=

liuming50 avatar Feb 16 '25 14:02 liuming50

(I think I am the colleague that, apparently at least usually, has his wits about him :wink:)

We have read through the systemd docs. I think what we were curious about was when do you typically need this? I.e., what are some typical use-cases?

wkz avatar Feb 16 '25 18:02 wkz

(I think I am the colleague that, apparently at least usually, has his wits about him 😉)

We have read through the systemd docs. I think what we were curious about was when do you typically need this? I.e., what are some typical use-cases?

We have a system that have multiple users, and for a specific user, we want it has a specific permission setting.

liuming50 avatar Feb 18 '25 19:02 liuming50

Right, but what is the use-case? An example could be:

We want to run foobard as the foobar user, and we have an /etc/pam.d/login with the following relevant session setup:

session    required   pam_limits.so

And we want to make sure that these limits are applied to the service when it is launched under finits control.

I find that it is usually much easier to reason about the implementation and test of a new feature if you have some idea of how that feature is going to be used.

wkz avatar Feb 19 '25 12:02 wkz

Right, but what is the use-case? An example could be:

We want to run foobard as the foobar user, and we have an /etc/pam.d/login with the following relevant session setup:

session    required   pam_limits.so

And we want to make sure that these limits are applied to the service when it is launched under finits control.

I find that it is usually much easier to reason about the implementation and test of a new feature if you have some idea of how that feature is going to be used.

Hi, @wkz:

That exactly is the user case we want!

liuming50 avatar Feb 19 '25 13:02 liuming50