Login PAM interaction suspect
Tomas Mraz
tmraz at redhat.com
Fri Nov 18 10:46:06 UTC 2011
On Thu, 2011-11-17 at 16:59 +0100, Thorsten Kukuk wrote:
> On Thu, Nov 17, David Mitton wrote:
>
>
> > Which was the first thing I saw login do wrong. It calls pam_open_session
> > before pam_setcred. I'm waiting for someone to explain that.
>
> As I think somebody wrote already here: it's a bug in login where
> I did send already a patch upstream.
Note that the original PAM RFC has an example where the pam_setcred() is
called AFTER the pam_open_session(). This conflict with the manual page
was never resolved one way or another. Some applications prefer calling
pam_setcred() twice with PAM_ESTABLISH_CRED before pam_open_session()
and with PAM_REINITIALIZE_CRED after pam_open_session().
Also for David, I'd really say, that what you want to do is really a
hack as the correct thing would be to write a proper nsswitch module or
to use an existing one. And if you insist on such a hack you should
really use pam_acct_mgmt() call to put the user into the
local /etc/passwd instead of relying on pam_setcred() behavior in one
way or another.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
More information about the Pam-list
mailing list