Access Keys:
Skip to content (Access Key - 0)

Debathena hacks

This article documents the various interesting hacks that we needed to do in order to create Debathena. Many of these hacks are considerably more generic than just Debathena (for example, anyone using libnss-hesiod or libnss-ldap probably wants libnss-nonlocal, and anyone using AFS PAGs probably wants libnss-afspag). The software is available in Debian package form from the Debathena repository .

On this page:

PAM modules

We created several new PAM modules for Debathena:

libpam-krb524

A module which runs krb524init to get Kerberos 4 tickets from Kerberos 5 tickets on pam_open_session(), and deletes the Kerberos 4 ticket cache on pam_close_session().

libpam-xauthority

A module which securely creates an Xauthority file in a temporary directory other than the user’s home directory, for use when home directories are on network filesystems. This module is deprecated in favor of the more general libpam-mktemp.

libpam-xauthority

A module which securely creates an Xauthority file in a temporary directory other than the user’s home directory, for use when home directories are on network filesystems. This module is deprecated in favor of the more general libpam-mktemp
libpam-mktemp, a module which securely creates temporary files or directories and sets an environment variable pointed to them, directly generalizing libpam-xauthority.

libpam-athena-locker

A module similar to libpam-afs-session, but which attaches the user’s home directory rather than simply running aklog on the machine’s home cell. This is important if some users have a different home cell than the machine does.

NSS modules

We created two NSS modules for Debathena:

libnss-afspag

A module which assigns names to the fake groups that AFS uses to store PAG information. This prevents the groups command from failing on a machine using AFS PAGs, which can cause all sorts of annoying issues like winscp failing to work. This functionality is now also available in libnss-afs .

libnss-nonlocal

A module which allows one to configure nonlocal sources of NSS information (like libnss-hesiod, {{libnss-ldap
}}, or any of the others) so that nonlocal accounts cannot get access to local accounts, and nonlocal groups cannot get access to local groups. This avoids problems like every user being in the group with gid 101 (often crontab on Debian systems) when libnss-hesiod is in use at MIT (where the group mit has gid 101), or the owners of Athena accounts with low UIDs being able to break into system users on Linux systems.

Clean dpkg-divert replacements for configuration files

In creating Debathena, we have often wanted to be able to replace a package’s configuration file without destroying any state on the user’s machine (so that he can uninstall Debathena completely).

The obvious mechanism for doing this would be to preseed Debconf with new configuration information (and then dpkg-reconfigure the affected packages), but this strategy destroys any configuration information that the user entered previously. We chose to use a different system, where our packages install new configuration files under the name FILE.debathena, where FILE is the name of the configuration file. Our system then uses dpkg-divert to move FILE to FILE.debathena-orig, and then install a symlink from FILE to FILE.debathena. This has the nice property that the machine’s original configuration file is preserved, and the user can easily choose which configuration file to use by simply moving the symbolic link to point to FILE.debathena-orig. Our package removes the symlink and undoes the diversion when it is uninstalled.

We eventually created the debathena-config-build-common package, which contains a CDBS (Common Debian Build System) module to include the shell functions for our diversion system into a package’s postinst and prerm scripts, and divert the relevant files. The interface is very simple, since we only need to add a single line to the rules file to divert an additional file. In Spring 2008, we prepared this system for broader release as the config-package-dev package.

One disadvantage of our system in comparison to the Debconf preseeding strategy is that when the user installs a package like krb5-config whose configuration files are going to be diverted, he is asked various questions, whose answers are irrelevant to the Debathena configuration he will eventually receive. This can be handled by setting the DEBIAN_FRONTEND=noninteractive, but it not as clean as we would like.

The Debathena system for configuration packages for Debian is described in detail on the config-package-dev page .

Supporting several distributions simultaneously

Debathena is built for all current releases of Debian and Ubuntu for 32-bit and 64-bit PCs:

  • Debian 5.0 Lenny (stable) for i386 and amd64
  • Ubuntu 8.04 LTS Hardy, 8.10 Intrepid, 9.04 Jaunty, 9.10 Karmic, and 10.04 LTS Lucid for i386 and amd64

For packages built from a single source, we currently append the suffix ~debian5.0 (or similar) to the binary package version number so that the binaries built on different distributions can share the repository. We’ll add more information about our system for building these all in the same repository and with the same source packages when possible later. The patches to upstream sbuild for implementing this are Debian bugs #475777 and #472350.

IS&T Contributions

Documentation and information provided by IS&T staff members

Last Modified:

August 07, 2014

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Labels:
c-debathena c-debathena Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
Feedback
This product/service is:
Easy to use
Average
Difficult to use
This article is:
Helpful
Inaccurate
Obsolete
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki