[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Login PAM interaction suspect



On Wed, Nov 16, David Mitton wrote:

> Quoting Nicolas François <nekral lists gmail com>:
>
>> Hello,
>>
>> On Wed, Nov 16, 2011 at 10:38:55AM -0500, David Mitton wrote:
>>>
>>> This was discussed in some other forum (which I lost my breadcrumbs to).
>>> It's moot to me, as I currently don't plan on changing that value.
>>> But login should not assume that  getpwnam(PAM_USER) will work until
>>> committed with a setcred.
>>
>> OK. I see your point and getpwnam() should be delayed as much as possible.
>>
>> However, login is required to setuid(<UID>) / setgid(<GID>) before
>> setcred, and <UID> or <GID> can only be found using getpwnam(PAM_USER).
>
> Why would that be?

Because else pam_setcred cannot modify them and calling them
afterwards would invalidate all changes pam_setcred() is doing.

> and where is it written?

Did you ever read the manual page about pam_setcred()?

"Such credentials should be established,
 by the application, prior to a call to this function. For example,
 initgroups(2) (or equivalent) should have been performed."

  Thorsten

-- 
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]