F40 Change Proposal: Switch pam_userdb from BerkeleyDB to GDBM (System Wide)

Wiki Link

Announce Link

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

:link: Summary

pam_userdb was built with support for BerkeleyDB, but this project is no longer maintained as open source, so it is replaced by GDBM.

:link: Owner

:link: Detailed Description

Currently, the Fedora provided BerkeleyDB versions is 5.x, which has been unmaintained upstream for several years. BerkeleyDB v6.x is license incompatible, so moving to that version is not an option.

The proposal is to switch to GDBM, which has upstream support and whose license is compatible with Fedora.

:link: Feedback

This proposal contains manual steps to be executed by system administrators in the upgrade path. It is a risky point, as it relies on sysadmins reading the documentation, but it’s the best solution so far. The database location is defined in the PAM stack, and the system administrator can set it to any value. Therefore, the only way to automate this would be to embed the database port in the PAM module code. But the port should be handled by libdb as this will allow to concentrate all the effort on a single binary, which will do this job for other packages as well.

An email thread was opened in Fedora devel to discuss this topic. Steve Grubb mentioned that this approach was used in the past to update other PAM modules. So even if the solution is not ideal, the best approach is to document the database porting process and let the system administrator run it manually.

:link: Benefit to Fedora

  • This change uses a database that is Fedora license compatible.
  • This changes uses an upstream maintained database version, with new features and bug fixing. pam_userdb controls user authentication, and a bug in the database could lead to a security vulnerability.

:link: Scope

:link: Upgrade/compatibility impact

:link: Upgrade

  • If the pam_userdb module is used by the system, then the user/sysadmin will have to run the conversion tool. This can’t be done automatically because the database location is configurable, and the conversion tool will need manual intervention.

:link: Compatibility

  • pam_userdb module is mainly used in vsftpd environments. If this module is used by the system and the database isn’t converted, then the user won’t be able to authenticate in vsftpd environments. The user would still be able to authenticate using other methods (i.e. su, ssh) and run the conversion tool.

:link: How To Test

  • Run db_converter to convert the database. Example

db_converter --src /etc/vsftpd/login.db --dest /etc/vsftpd/login.gdbm

  • vsftpd login

  • Check that the user is authenticated

:link: User Experience

Users won’t experience any change.

:link: Dependencies

vsftpd depends on this change, but nothing needs to be done in this package.

:link: Contingency Plan

  • Contingency mechanism: Postpone to the next release.
  • Contingency deadline: Beta freeze.
  • Blocks release? No.

:link: Documentation

MR in the System Administrator’s Guide with the documentation proposal.

:link: Release Notes

pam_userdb switches database provider to GDM. Instructions on how to update in the System Administrator’s Guide

I have to be honest, I’m not clear on how this point:

…makes it impossible to automate this. (I’m not saying it DOESN’T make it impossible to automate, just that it isn’t clear to me from the information provided here why it’s not possible.)

The DB upgrade is running locally on the affected machine, after all. So, couldn’t the migration tool — at least in theory — access the local configuration to discover the location of the database, wherever it may be?

But perhaps we’re not actually talking about “the” userdb, but rather an arbitrary collection of multiple potential userdbs. Each of which has no standard location, and therefore may have been stored anywhere an admin chose to place it? (Which I’m now beginning to suspect, from reading through the pam_userdb(8) man page and other resources, is the case.)

If that’s the case, would it be possible to provide overlapping support for both formats, to facilitate migration? Like, for example (just sketching here):

  1. A PAM module supporting the new GDBM-format userdb is added to the PAM package, alongside pam_userdb.so — let’s call it pam_userdb2.so just as an arbitrary placeholder.
  2. The legacy pam_userdb.so begins to emit messages about its deprecation into the system journal, anytime it’s activated by PAM.
  3. The deprecation messages instruct affected admins that they need to convert their legacy userdb to GDBM format (and how), as well as update their PAM configuration so it loads the converted DB using pam_userdb2.so instead.
  4. Admins (hopefully) see the messages, convert their userdbs to GDBM format, and edit their PAM configuration to replace
    pam_userdb.so db=/path/to/legacy.db ...
    pam_userdb2.so db=/path/to/converted.db ...
  5. At some point later, pam_userdb.so is dropped from the package.

It’s more complex, admittedly. But it avoids a complete rug-pull where pam_userdb.so silently lets people keep using the legacy format, right up until it suddenly doesn’t.

You hit the nail on the head. I should have been more specific about why this is more difficult to automate than anyone would initially think.

Thanks for the proposal, but this postpones the inevitable and assumes that the administrator will look at the messages when nothing will be failing from a user point of view. Let’s face it, error/warning messages are only looked at when the user complains. It is better to fail sooner rather than later, and for the sysadmin to seek information on how to upgrade their system when the information is still fresh and easily accessible.

In addition, this would mean keeping libdb on Fedora for a longer period of time, which is something that wants to be avoided.