[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM and shadow

Previously Andrew Morgan wrote:
> Wichert Akkerman wrote:
> > I'm still curious why pam_start() doesn't allow a PAM module to
> > initialize itself, since that would solve this problem cleanly without
> > needing an externaly program, and might solve future problems as well.
> Could you elaborate?

Heh, I had forgetten I already wrote that :)

You could do something like this:
- someone calls pam_start
- pam_start figures out which modules to use and loads them
- pam_start calls an initialize function for each module
- initialize for pam_shadow does fopen("/etc/shadow")
- main program drops root priviledge
- main program attempts to verify a user and calls pam_authenticate
- pam_shadow can still access /etc/shadow since it has an open
  filehandle, and uses fgetpwent to get the right entry. 

Module initializing might also be usefull if you want to use something
like a SQL server for authentication. You can use the initialization to
establish the connection to the server which you can use later.


This combination of bytes forms a message written to you by Wichert Akkerman.
E-Mail: wakkerma@cs.leidenuniv.nl
WWW: http://www.wi.leidenuniv.nl/~wichert/

Attachment: pgp00003.pgp
Description: PGP signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []