[Python-Dev] PEP 594: Removing dead batteries from the standard library (original) (raw)

Arfrever Frehtes Taifersar Arahesis arfrever.fta at gmail.com
Wed May 22 00:20:44 EDT 2019

2019-05-21 00:06 UTC+02:00, Christian Heimes <christian at python.org> wrote:

On 20/05/2019 23.27, Antoine Pitrou wrote:

Removing the crypt module would remove support for system-standard password files. I don't understand the rationale. Applications must not access system-standard password files directly. On any sanely and securely configured systems, application cannot even access system password files like /etc/shadow. Access restrictions and system security policies will prevent read access. Also applications cannot assume that users are present in any user file. They may come from LDAP, SSSD, ActiveDirectory, or other sources. The correct way to interact with system users is to use the proper APIs, that are NSS (name service switch) and PAM (pluggable authentication modules). NSS looks up and enumerate users and groups. PAM performs password validation and much, much, much more. The pwd and grp modules use the correct APIs to interact with NSS. If you need to check or change passwords, you must go through PAM.

It is possible to have a modern Linux desktop system with PAM not installed at all, and therefore not used.

Examples of packages in Gentoo Linux which have OPTIONAL dependency on PAM: shadow, sudo, openssh, libcap, systemd, util-linux, screen, cronie, polkit, cups, sddm, kscreenlocker, xscreensaver (So a KDE Plasma desktop environment and its direct and indirect dependencies can be installed without PAM.)

The suggested substitutes for spwd module, i.e. python-pam and simpleplam, look like they would not work on a PAM-free system.

-- Arfrever Frehtes Taifersar Arahesis

More information about the Python-Dev mailing list