Pam oddjob mkhomedir.so versus pam mkhomedir.so

From The Power of Many
  1. package name

'rpm -qf /usr/lib64/security/pam_mkhomedir.so'

pam-1.3.1-15.el8.x86_64

'rpm -qf /usr/lib64/security/pam_oddjob_mkhomedir.so'

oddjob-mkhomedir-0.34.7-1.el8.x86_64

By default, authconfig/authselect prefers oddjob rather than mkhomedir module

  1. Reason

The reason we have pam_oddjob_mkhomedir is to separate out the ability to create a homedir and all of the content from the login programs.

With pam_mkhomedir login programs have to be allowed to create Your homedir, but if you setup /etc/skel then it also needs to be able to create any content in your home dir.

We in the SELinux world want to control what login programs can do. So we want to separate this abiltity to create home directory content into a separate priv daemon on the hosts, which the login programs can request to create the content. This means that from an SELinux point of view we can stop login programs like sshd from reading random content in your homedir. Why is this important? Over the years it has been shown that login programs have had bugs that led to information leakage without the users every being able to login to a system.

Reference:

- https://access.redhat.com/discussions/903523

- https://danwalsh.livejournal.com/69837.html

Retrieved from "https://wiki.snowfrs.com/index.php?title=Pam_oddjob_mkhomedir.so_versus_pam_mkhomedir.so&oldid=284"