Do I need Dropline Gnome? [July 2006]
…and Dropline replaces the shadow package with… shadow. (OMG!) …and let’s clarify something—it’s not “Slack developers”, it’s “Patrick Volkerding” who is one guy.
Another thing you’re managing to omit is why Slackware doesn’t use PAM. Patrick has been pretty clear about this in the distant past (because answering the same questions over and over gets old and is a waste of time. *ahem*). Slackware does not include PAM because he feels that for the majority of the single-user desktop machines and simple servers out there (which are the usual places you find Slackware) it’s not needed. He also cites that PAM is a @#$%! to work with from a system architect’s standpoint, and anyone who has used it would likely agree. So basically Patrick chose to leave it out because it’s a big hassle for relatively little gain for the uses of Slackware that he is targeting.
Unfortunately that decision was something that happened a long, long time ago (in software-years) and is starting to show it’s age. PAM, in the role that Dropline has put it in, solves a whole horde of issues that plague more modern desktops. (Luckily for the end-users, it’s presence and functionality is entirely transparent.) Right from the start, PAM gives the system the ability to “know” whether or not the current user is physically present at the machine. This is very useful because it eliminates one of the #1 problems of a new Slackware installation, i.e., “Why does my sound not work?” where the cause is that the user has no permission to write to /dev/audio or /dev/dsp. Patrick suggests that users add their accounts to the audio group, which is fine, but it’s work they no longer have to do. More to the point, when the user logs out their account will still have membership in the audio group if they go somewhere else and login remotely over ssh. Since they’re not at the machine, there’s not much point in this and represents a small security problem. The pam_console part of PAM makes sure that people are able to access the hardware that they’re supposed to when they’re at the console, and that they can’t when they are somewhere else later on.
PAM also facilitates a mechanism by which the GUI system administration tools that so many people are fond of don’t require being made suid to work (which is dangerous), and don’t require that the user have to do any complex dance with sudo or su and/or setting X11 cookies in order to get them to work. Again, since pam_console is in play, applications can be easily wrappered so that when root privs are needed, a dialog box “just appears” asking for the root password. It also allows things like rebooting the machine to be done from the console without having to bother about a password, while not leaving it so that same user can reboot the machine remotely.
There are more things that PAM solves, but this post is already long enough and I’m nowhere near done.
