Web lists-archives.com

HELP WANTED: security review / pam experts for su transition


as previously discussed it seems all stakeholders are pretty much in
agreement that it would be better for debian to use the implementation
of login tools from src:util-linux instead of from src:shadow.
Investigations about implementation differences has been done and
remaining work is basically to implement the switch.
(Details in #833256)

As a preparation step for larger login package switch (which I'm not
comitting to at the moment!), I'd like to start with switching only 'su'
and moving it from 'login' (binary package) to 'util-linux' (binary
package). This should also pave the way for potentially making login
non-essential in the future.

WIP on util-linux side:

I don't feel entirely comfortable doing this security-sensitive work
entirely on my own without peer review. I'm thus looking for people
willing to review the security critical aspects, preferably PAM experts.
Are you willing to help? Please contact me.

Andreas Henriksson