[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Use of "[success=ok ...]" form



> OK, I'm running out of hair to pull on this one and searching Google and 
> SourceForge didn't help.  I'm trying to build a PAM control file for testing 
> a new PAM module.  The environment is SuSE Linux 7.0, running 
> Linux-PAM 0.72. I'd like to make my test-module "sort of optional" while
> I'm working on it.  Sounds like a tailor-made case for the "more elaborate 
> (newer) syntax" PAM control file:
> 
> 	module-type [ value=action value=action ... ] module-path arguments
> 
> My first attempt failed miserably, and was rather complex, so I figured I'd back 
> off to something really simple:  Could I explicitly describe "optional" and get 
> the same results as "optional"?  Of course, the answer is NO, or I wouldn't be 
> writing!
> 
> The first problem was figuring out exactly what "optional" means in more complex
> terms.  According to libpam/pam_handlers.c, it's the same as "[success=ok
> new_authtok_reqd=ok default=ignore]".  I'd *love* to see the SysAdmin manual
> (http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-4.html) include 
> the complex forms for all four simple forms so I won't have to go code-diving next 
> time.
> 
> Second problem - coding exactly that results in different behavior from "optional".
> Specifically, when my test-module returns PAM_SERVICE_ERR, later modules
> in the stack aren't executed with the complex form, but are with the simple form.
> 
> I've read the code in pam_handlers.c and pam_misc.c until my eyes crossed, and
> this makes no sense to me.  It's obvious how _pam_parse_conf_file() maps "optional" 
> to an action array, and while _pam_parse_control() isn't obvious, it's hardly rocket 
> science.
> 
> What gives?  Anybody understand this stuff?
> 
> Ross Patterson
> Computer Associates
> 





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []