[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Login PAM interaction suspect



On Fri, Nov 18, Tomas Mraz wrote:

> On Thu, 2011-11-17 at 16:59 +0100, Thorsten Kukuk wrote: 
> > On Thu, Nov 17, David Mitton wrote:
> > 
> > 
> > > Which was the first thing I saw login do wrong.  It calls pam_open_session 
> > > before pam_setcred.  I'm waiting for someone to explain that.
> > 
> > As I think somebody wrote already here: it's a bug in login where
> > I did send already a patch upstream.
> 
> Note that the original PAM RFC has an example where the pam_setcred() is
> called AFTER the pam_open_session(). This conflict with the manual page
> was never resolved one way or another.

The requirement to call pam_setcred() before pam_open_session() was only
found out later, when people did recognize that you need to set the
credentials before calling pam_open_session, so that some things, which 
needs the credentials, can work in pam_open_session(). I remember
at least pam_mount and kerberos for example.

  Thorsten

-- 
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]