[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Login PAM interaction suspect

On Wed, Nov 16, David Mitton wrote:

> Quoting Nicolas François <nekral lists gmail com>:
>> Hello,
>> On Wed, Nov 16, 2011 at 10:38:55AM -0500, David Mitton wrote:
>>> This was discussed in some other forum (which I lost my breadcrumbs to).
>>> It's moot to me, as I currently don't plan on changing that value.
>>> But login should not assume that  getpwnam(PAM_USER) will work until
>>> committed with a setcred.
>> OK. I see your point and getpwnam() should be delayed as much as possible.
>> However, login is required to setuid(<UID>) / setgid(<GID>) before
>> setcred, and <UID> or <GID> can only be found using getpwnam(PAM_USER).
> Why would that be?

Because else pam_setcred cannot modify them and calling them
afterwards would invalidate all changes pam_setcred() is doing.

> and where is it written?

Did you ever read the manual page about pam_setcred()?

"Such credentials should be established,
 by the application, prior to a call to this function. For example,
 initgroups(2) (or equivalent) should have been performed."


Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]