configuring pam_snapper in /etc/pam.d/common-session

Hello,

I’d like to start off by saying I know nothing about pam.

I’m in the process of trying to set up pam_snapper and I’d like to check a few things before I proceed.
I’m running Tumbleweed and have already used /usr/lib/pam_snapper/pam_snapper_homeconvert.sh to convert my home dir in to a btrfs subvol.

In the pam_snapper man page it states:
Add the following line to /etc/pam.d/common-session:
session optional pam_snapper.so

I believe the shell script /usr/lib/pam_snapper/pam_snapper_pamconfig.sh can automate that step too.

It would seem that by default c is a symlink to the file /etc/pam.d/common-session-pc

When trying to find out more about pam and the relationship between the files in /etc/pam.d/ I came across this link: https://www.suse.com/support/kb/doc/?id=000018934

This bit in particular is what’s concerning me:
Removing these symbolic links effectively disables pam-config, because pam-config only operates on the common-*-pc files and these files are not put into effect without the symbolic links.

And then in the pam-config man page:
The configuration for gobal (I asume it meant global?) service modules written by pam-config is ignored by the system if the common-{account,auth,password,session} symlinks don’t point to the common-{account,auth,password,session}-pc files.

I believe that if I added the pam_snapper entry to the /etc/pam.d/common-session-pc file it’ll be overwritten whenever pam-config is called.

My questions are:
If I make the changes myself or run the pam_snapper_pamconfig.sh to automate it, what happens then?

I ask, because to someone who knows nothing about pam, it makes it sound like any updates or newly installed software which would normally have their entries added to /etc/pam.d/common-session-pc will be ignored if you have a /etc/pam.d/common-session file.

If it that is so, then how would I use pam_snapper and not end up having to manually keep tabs on pam configurations whenever I install, remove or update software?

Or do I have all of that wrong and it’ll be alright if I run /usr/lib/pam_snapper/pam_snapper_pamconfig.sh ?

PAM configuration changes relatively infrequently, so workaround would be to periodically check *_pc files and adjust your file if some change is detected or if you consciously changed PAM configuration e.g. via YaST. Looking at output of “zypper se --requires pam-config” there are not many packages that are using it and most common are already installed.

Otherwise your only option is to open bug report on pam-config and ask for pam_snapper support. Both are written and maintained by SUSE so this would be just logical. Even better of course would be possibility to preserve manually added modules in pam-config …

pam-config is not part of PAM core, it is tool written by SUSE for its own purposes. In general it is not really needed, it is just some convenience layer.

Thank you for the information.

Trying to figure it all out from scratch was a bit daunting. I didn’t want to make assumptions on a subject I knew nothing about and set myself up for things breaking in ways I may not have expected or recognised further down the line.

I’ll put in a request and see what they say.

Once again, thanks for your time.