Suggestions on how to deal with architecture detection for pam authentication in pure-ftpd

Scott Haneda talklists at newgeo.com
Fri Apr 30 14:08:26 PDT 2010 

I needed to add a variant to the Pure-FTPd port that I am maintaining.  There is a feature called uploadscript, which will allow a script to be run after any upload action is taken.  This can be handy for triggering ftp maintenance, or, in the case I am now considering, passing the uploaded files to clamAV and having them scanned to be sure they are not malicious.

Regardless of how it is used, it is one of few configure configure args that I do not have a variant for at all.

I altered the Portfile to add this:
variant uploadscript description "Configures ${name} to support post processing of uploaded files" {
    configure.args-append --with-uploadscript
}

Does that look correct?  

I am able to build with successfully with +uploadscript.  Using -d I was able to see if the configure.arg was appended.  Is there any way, post installation of a port, to see what the exact install command was, as well as what the resulting configure command was?

I wanted to test my change, but did not want to set up MySql AUTH and the whole kit.  So PAM is was. I can quickly `ftp localhost` and use my Mac OS X username and password to make sure things are still working.  Of course, it did not work.

The Pure-FTPd docs ( http://download.pureftpd.org/pub/pure-ftpd/doc/README.MacOS-X ) state to add:

$cat /etc/pam.d/pure-ftpd
    AUTH       sufficient     pam_securityserver.so
    AUTH       required       pam_deny.so
    account    required       pam_permit.so
    password   required       pam_deny.so
    session    required       pam_permit.so

Using that method on 10.6, I get a stall when entering in my local user account password.
Apr 30 12:35:19 macbook pure-ftpd[15003]: in openpam_load_module(): no pam_securityserver.so found

Eventually the ftpd times out.  I started comparing other files in the /etc/pam.d directory, *none* contain the string of "pam_securityserver.so".  The OS X supplied "ftpd" uses:

$cat /etc/pam.d/ftpd
    # login: AUTH account password session
    AUTH       required       pam_opendirectory.so
    account    required       pam_permit.so
    password   required       pam_deny.so
    session    required       pam_permit.so

I changed the file at /etc/pam.d/pure-ftpd to use "pam_opendirectory.so" and everything works.

Here are my problems...
Inability to test this on all the platforms I need to.  At the very least, I need to test 10.5 PPC and Intel.  I have a feeling 10.5 is going to use "pam_securityserver.so".  However, this worked at one point on 10.6 Intel as far as I remember.  This leads me to believe a change was made by Apple within the 10.6 release cycle.  If anyone has a 10.6.0 install and can tell me the contents of /etc/pam.d/ftpd that would answer if this is a change within the 10.6 lifecycle or not.

How do I figure out the chronology of pam_securityserver.so and pam_opendirectory.so?  I also know that it should not be too hard to conditionally decide which .sample file to copy in for the user based on the major version, ie: 10.5 or 10.6 PPC or Intel, if CPU architecture even matters.  But if this turns out to be a change in minor dot releases of 10.6, I do not know how to detect that granularity in MacPorts.

One thought is to test for the existence of the files, and completely ignore the version of OS the user is on.
    if /usr/lib/pam/pam_securityserver.so exists
        # copy/install .sample for PAM using 'pam_securityserver.so'
    else if /usr/lib/pam/pam_opendirectory.so exists
        # copy/install .sample for PAM using 'pam_opendirectory.so'
    end if

I managed to get this working currently.  I wish I had better understood this issue: 
( https://trac.macports.org/ticket/23852 ) as it raises the same issues I am, I was simply not understanding the ticket creator.

Here is what works on 10.6.3 at /etc/pam.d/pure-ftpd
    # pure-ftpd: AUTH account password session for PAM
    # Copy this file to /etc/pam.d/pure-ftpd
    # This file created by MacPorts, but installed by the user
    AUTH       sufficient     pam_opendirectory.so
    AUTH       required       pam_deny.so
    account    required       pam_permit.so
    password   required       pam_deny.so
    session    required       pam_permit.so

What I can not figure out, is why that works, as pam_opendirectory.so does not exist, yet pam_opendirectory.so.2 does.  Does anyone know how this shared object works with the name being .so.2 and not .so?  Both .so or .so.2 works in the /etc/pam.d/pure-ftpd file, they seem interchangeable.

I am open to any and all suggestions on how to best solve this, and how to best provide the simplest experience for the end user.  I imagine most Mac OS X users installing Pure-FTPd are looking for a more configurable replacement for the built in ftpd on OS X. If my suspicions are correct, then making PAM based AUTH easy out of the box for the user is where I would want to focus a little more.  I first want to get a handle on what is going on though.

Thanks.
-- 
Scott * If you contact me off list replace talklists@ with scott@ *

More information about the macports-dev mailing list