[for pkg-shadow-devel readers, I'm just retrying with my
address
subscribed to pam-list. Sorry for the dupplicate.]
Hello,
According to the Linux-PAM Module Writers' Guide and the
Linux-PAM
Application Developers' Guide, the PAM_USER item can be set
or changed by
any module, and should be checked after each call to a PAM
function.
Now I'm having a problem with pam_setcred. It is specified
that the UID
and GID credentials should be set before calling this
function.
Is it possible that the pam_setcred function changes the
PAM_USER item?
In that case, what do you think should be the behavior of
applications?
(redo a setuid/setgid?)
After calling pam_setcred, I'm also calling
pam_open_session, can the
PAM_USER item be changed also at that time?
Do you have examples of modules that change the PAM_USER
item?
My questions are related to su (from shadow-utils), which
uses the
following sequence:
pam_start (always with a non NULL username)
pam_authenticate
pam_acct_mgt
(pam_chauthtok)
pam_setcred
pam_open_session
Currently, su considers that it has to switch to the user
specified on the
command line.
Do you think su should follow the changes made to PAM_USER?
(and up to
what step in the above sequence?)
Or should su always do what it was requested to do, even if
PAM_USER was
changed to authenticate another user or for any other
reason?
(I'm lacking the rational or use cases for changing
PAM_USER)
Thanks in advance,
--
Nekral
_______________________________________________
Pam-list mailing list
Pam-list redhat.com
http
s://www.redhat.com/mailman/listinfo/pam-list
|