[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Pam and radius


>    I can't work out where the user ID and group ID(s) are supposed to be
>    by PAM. In fact, from reading the pam_unix*.c and login.c code it
seems to
>    me that it's still the application's responsability to determine a
>    UID and GID(s)... which seems quite strange to me.
> That's because it's not part of PAM's job.  User ID and Group ID aren't
> an intrinsic part of an authentication mechanism such as S/Key, or
> Kerberos, or checking a user's password for that matter.  

I'm just trying to understand things here so please don't take the
following as a flame, just a plea to help me understand!!

In the absence of seeing the debate which has apparently already happened,
I am just curious as to why UID/GID is not considered part of the
authentication? Since for a given session on a Unix system, the user ID and
group-IDs specify the complete set of operations a user can perform while
using the system. It would seem to me that PAM's usefullness is quite
limited - it's not even possible to write an NIS client in PAM without
using getpwnam() if it can't tell us who the user 'really' is for the
purpose of Unix. Perhaps another unix-specific layer is required so that
getpwnam() can return non-/etc/passwd-based information for a user...

It seems to me that it's ridiculous to have one scheme to say "yes you can
log in", another to say "you can log in now", yet another to say "this user
has just logged in", and another one to say "this user's changing his/her
auth token" but nothing in the set of operations to say "this is what the
user can do". After all, the UID/GID set really does define the user's
permissions in most of the Unix domain.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []