[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: An "orthogonal" way of using libpam



Hello Joerg!

On Sat, 28 Dec 2002, Joerg Sommer wrote:

> If the user can ban root from unlocking his session, root has the only
> way to kill the user processes. So I don't want that the user can control
> the pam file for xlock.

It has nothing to do with pam, a user always can lock root out, without
using pam. A trivial example:

#!/bin/sh

clear

trap "" 1 2 3 ....
while true
  do
  echo "Enter password:"
  read pass
  case x"$pass" in
  xMyOwnPass) break ;;
  esac
done

[then if you are running X you have to instruct the window manager to
unconditionally keep focus on that window - but you do not have to be
superuser to do it, just be authorized to the display]

So it is just a matter of policy, what a user is allowed and not allowed
to do. PAM cannot prevent locking abuse, both locking too hard or locking
too loose...

Regards,
--
Ivan





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []