F40 Change Proposal: Switch pam_userdb from BerkeleyDB to GDBM (System Wide)

Wiki Link

Announce Link

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Summary

pam_userdb was built with support for BerkeleyDB, but this project is no longer maintained as open source, so it is replaced by GDBM.

Owner

• Name: Iker Pedrosa Filip Janus
• Email: ipedrosa@redhat.com fjanus@redhat.com

Detailed Description

Currently, the Fedora provided BerkeleyDB versions is 5.x, which has been unmaintained upstream for several years. BerkeleyDB v6.x is license incompatible, so moving to that version is not an option.

The proposal is to switch to GDBM, which has upstream support and whose license is compatible with Fedora.

Feedback

This proposal contains manual steps to be executed by system administrators in the upgrade path. It is a risky point, as it relies on sysadmins reading the documentation, but it’s the best solution so far. The database location is defined in the PAM stack, and the system administrator can set it to any value. Therefore, the only way to automate this would be to embed the database port in the PAM module code. But the port should be handled by libdb as this will allow to concentrate all the effort on a single binary, which will do this job for other packages as well.

An email thread was opened in Fedora devel to discuss this topic. Steve Grubb mentioned that this approach was used in the past to update other PAM modules. So even if the solution is not ideal, the best approach is to document the database porting process and let the system administrator run it manually.

Benefit to Fedora

• This change uses a database that is Fedora license compatible.
• This changes uses an upstream maintained database version, with new features and bug fixing. pam_userdb controls user authentication, and a bug in the database could lead to a security vulnerability.

Scope

• Proposal owners:

  • libdb includes a new subpackage libdb-convert-util, that provides db_converter, a program to port a BerkeleyDB database to GDBM.
  • Change PAM database build option to GDBM.

• Other developers: N/A

• Release engineering: Issue #11649: pam_userdb switching from BerkelyDB to GDBM - releng - Pagure.io

• Policies and guidelines: Yes. Opened a MR in the System Administrator’s Guide with the documentation proposal.

• Trademark approval: N/A

• Alignment with Community Initiatives: N/A

Upgrade/compatibility impact

Upgrade

• If the pam_userdb module is used by the system, then the user/sysadmin will have to run the conversion tool. This can’t be done automatically because the database location is configurable, and the conversion tool will need manual intervention.

Compatibility

• pam_userdb module is mainly used in vsftpd environments. If this module is used by the system and the database isn’t converted, then the user won’t be able to authenticate in vsftpd environments. The user would still be able to authenticate using other methods (i.e. su, ssh) and run the conversion tool.

How To Test

• Run db_converter to convert the database. Example

db_converter --src /etc/vsftpd/login.db --dest /etc/vsftpd/login.gdbm

• vsftpd login

• Check that the user is authenticated

User Experience

Users won’t experience any change.

Dependencies

vsftpd depends on this change, but nothing needs to be done in this package.

Contingency Plan

• Contingency mechanism: Postpone to the next release.
• Contingency deadline: Beta freeze.
• Blocks release? No.

Documentation

MR in the System Administrator’s Guide with the documentation proposal.

Release Notes

pam_userdb switches database provider to GDM. Instructions on how to update in the System Administrator’s Guide

I have to be honest, I’m not clear on how this point:

…makes it impossible to automate this. (I’m not saying it DOESN’T make it impossible to automate, just that it isn’t clear to me from the information provided here why it’s not possible.)

The DB upgrade is running locally on the affected machine, after all. So, couldn’t the migration tool — at least in theory — access the local configuration to discover the location of the database, wherever it may be?

But perhaps we’re not actually talking about “the” userdb, but rather an arbitrary collection of multiple potential userdbs. Each of which has no standard location, and therefore may have been stored anywhere an admin chose to place it? (Which I’m now beginning to suspect, from reading through the pam_userdb(8) man page and other resources, is the case.)

If that’s the case, would it be possible to provide overlapping support for both formats, to facilitate migration? Like, for example (just sketching here):

1. A PAM module supporting the new GDBM-format userdb is added to the PAM package, alongside pam_userdb.so — let’s call it pam_userdb2.so just as an arbitrary placeholder.
2. The legacy pam_userdb.so begins to emit messages about its deprecation into the system journal, anytime it’s activated by PAM.
3. The deprecation messages instruct affected admins that they need to convert their legacy userdb to GDBM format (and how), as well as update their PAM configuration so it loads the converted DB using pam_userdb2.so instead.
4. Admins (hopefully) see the messages, convert their userdbs to GDBM format, and edit their PAM configuration to replace

   pam_userdb.so db=/path/to/legacy.db ...
   

   with

   pam_userdb2.so db=/path/to/converted.db ...
   

5. At some point later, pam_userdb.so is dropped from the package.

It’s more complex, admittedly. But it avoids a complete rug-pull where pam_userdb.so silently lets people keep using the legacy format, right up until it suddenly doesn’t.

You hit the nail on the head. I should have been more specific about why this is more difficult to automate than anyone would initially think.

Thanks for the proposal, but this postpones the inevitable and assumes that the administrator will look at the messages when nothing will be failing from a user point of view. Let’s face it, error/warning messages are only looked at when the user complains. It is better to fail sooner rather than later, and for the sysadmin to seek information on how to upgrade their system when the information is still fresh and easily accessible.

In addition, this would mean keeping libdb on Fedora for a longer period of time, which is something that wants to be avoided.

Hello, an external application developer here. We just started using pam_userdb in a test suite for mocking our PAM authorization code. We considered some alternatives of course, but the most often suggested libpam-pwdfile has been abandoned since 2018. Given that pam_userdb is shipped by default in current Fedora and various other distros as well, using that looked like a good choice.

Now, since this is just a unit test fixture, we do not really care about the internal DB format. We just need “a flag” to specify whether to call db_load or gdbm_xxx. Can you please add a pkg-config level variable for this?

I already modified the configuration flag that selects the database format at compilation time to take into account gdbm: --enable-db=gdbm.

But what are you trying to solve here? Fedora sets that option to gdbm, thus all provided PAM packages since Fedora 40 will use gdbm. The only thing that comes to my mind is that you are worried about other distributions, then this option would be your solution.

Reference to the source code change: pam_userdb: enable GDBM support · linux-pam/linux-pam@45c2c49 · GitHub

I need to know how to produce the on-disk DB file. Either I call Berkley DB’s db_load, or I have to invoke something else to init the GDBM-based one. For that, I need a flag which tells me what format the pam_userdb expects on-disk.

You can use ldd for that purpose, as it will tell you which libraries pam_userdb is linking. Fedora 38 example:

$ ldd /lib64/security/pam_userdb.so
linux-vdso.so.1 (0x00007ffcd59cb000)
libdb-5.3.so => /lib64/libdb-5.3.so (0x00007f7d3917d000)
libcrypt.so.2 => /lib64/libcrypt.so.2 (0x00007f7d39144000)
libpam.so.0 => /lib64/libpam.so.0 (0x00007f7d39132000)
libaudit.so.1 => /lib64/libaudit.so.1 (0x00007f7d39103000)
libeconf.so.0 => /lib64/libeconf.so.0 (0x00007f7d390f6000)
libm.so.6 => /lib64/libm.so.6 (0x00007f7d39015000)
libc.so.6 => /lib64/libc.so.6 (0x00007f7d38e35000)
libcap-ng.so.0 => /lib64/libcap-ng.so.0 (0x00007f7d38e2c000)
/lib64/ld-linux-x86-64.so.2 (0x00007f7d39368000)

Example for Fedora rawhide:

$ ldd /lib64/security/pam_userdb.so
linux-vdso.so.1 (0x00007ffee77cc000)
libgdbm.so.6 => /lib64/libgdbm.so.6 (0x00007fe31e2c2000)
libcrypt.so.2 => /lib64/libcrypt.so.2 (0x00007fe31e289000)
libpam.so.0 => /lib64/libpam.so.0 (0x00007fe31e278000)
libc.so.6 => /lib64/libc.so.6 (0x00007fe31e036000)
/lib64/ld-linux-x86-64.so.2 (0x00007fe31e2e0000)
libaudit.so.1 => /lib64/libaudit.so.1 (0x00007fe31e007000)
libeconf.so.0 => /lib64/libeconf.so.0 (0x00007fe31dffa000)
libm.so.6 => /lib64/libm.so.6 (0x00007fe31df16000)
libcap-ng.so.0 => /lib64/libcap-ng.so.0 (0x00007fe31df0d000)

The first output states libdb, while the second libgdbm.

Well, try doing that from CMake :). All I’m asking for is a one-line addition to pam.pc.

But anyway, we’ve hit some performance issues with pam_userdb on Fedora 38 (a successful PW validation that took 2 seconds while it was instant on Arch and NixOS). We’ve therefore switched to Samba’s cwrap’s pam_matrix. I think that my point still stands, but since we are not affected by this change anymore, I won’t keep pushing for a fix.

Closing change proposals for F40. The ship has sailed. Of course we can still discuss if needed, but please open new topics for that.