[Python-Dev] PEP 594: Removing dead batteries from the standard library (original) (raw)

Christian Heimes christian at python.org
Wed May 22 04:07:31 EDT 2019

• Previous message (by thread): [Python-Dev] PEP 594: Removing dead batteries from the standard library
• Next message (by thread): [Python-Dev] PEP 594: Removing dead batteries from the standard library
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 22/05/2019 06.20, Arfrever Frehtes Taifersar Arahesis wrote:

2019-05-21 00:06 UTC+02:00, Christian Heimes <christian at python.org> wrote:

On 20/05/2019 23.27, Antoine Pitrou wrote:

Removing the crypt module would remove support for system-standard password files. I don't understand the rationale.

Applications must not access system-standard password files directly. On any sanely and securely configured systems, application cannot even access system password files like /etc/shadow. Access restrictions and system security policies will prevent read access. Also applications cannot assume that users are present in any user file. They may come from LDAP, SSSD, ActiveDirectory, or other sources. The correct way to interact with system users is to use the proper APIs, that are NSS (name service switch) and PAM (pluggable authentication modules). NSS looks up and enumerate users and groups. PAM performs password validation and much, much, much more. The pwd and grp modules use the correct APIs to interact with NSS. If you need to check or change passwords, you must go through PAM. It is possible to have a modern Linux desktop system with PAM not installed at all, and therefore not used. Examples of packages in Gentoo Linux which have OPTIONAL dependency on PAM: shadow, sudo, openssh, libcap, systemd, util-linux, screen, cronie, polkit, cups, sddm, kscreenlocker, xscreensaver (So a KDE Plasma desktop environment and its direct and indirect dependencies can be installed without PAM.) The suggested substitutes for spwd module, i.e. python-pam and simpleplam, look like they would not work on a PAM-free system.

Thanks for bringing this up. I don't think we need to care about this care.

A PAM-free Linux system is an IMHO very special and exotic case. It's certainly not a setup anybody should run on a server. There are a lot of good reasons to use PAM. I'll update the BPO with reasons soonish.

By the way, the /etc/shadow shadow(5) format is trivial and can be parsed with a few lines of code. There is no need to use spwd.

Christian

• Previous message (by thread): [Python-Dev] PEP 594: Removing dead batteries from the standard library
• Next message (by thread): [Python-Dev] PEP 594: Removing dead batteries from the standard library
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list