[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: An "orthogonal" way of using libpam



Hello Joerg!

On Sat, 28 Dec 2002, Joerg Sommer wrote:

> > be handy if the user's application wants to do it's own authentication.
>
> I don't know, if this is a good thing or if you open with this some
> security holes.

The applications which grant privileges (login, sshd and similar) are run
by root anyway, so they are going to be configured by root...

An application which grants access to some user's resources is totally
under the responsibility of that user anyway. The user already has the
total control over her resources and always can (usually "may not", but
still can!) give them away.

> Better is IMHO, if the admin can include a file into a
> file in /etc/pam.d/x, somthing like "$HOME/.pam/x".

Why have to create identical pam entries on thousands of hosts, as soon as
we set up a new application that needs authentication (like a new
xlock-even-more, vnc, any other legitimate user-run interactive
service available to untrusted parties)? It is our reality - applications
runnable on multiple administration domains, where the administrators do
not want to touch their hosts' /etc.

> And what is such a application, that want do authentication by its own
> way? And what it will do different to /etc/pam.d/x?

We could run several instances of the same application (sshd, samba,
younameit), even on the same host, with different authentication policies
(and different sets of resources available to the processes), for testing,
or for different uses, say to isolate student laboration
administration from administration of massive computational tasks by
the employees...

Regards,
--
Ivan





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []