[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Does pam_env.so work?

Seth Chaiklin wrote:
> > > > Seth Chaiklin wrote:
> > > > > auth       required   pam_nologin.so
> > > > > auth       required   pam_securetty.so
> > > > > auth       sufficient pam_unix_auth.so
> > > > > auth       required   pam_nw_auth.so PSY
> > > > > auth       required   pam_env.so debug
> > > >
> > Easy. pam_env (presumably) sets variables in the set_cred step. The unix
> > set_cred is sufficient (and succeeds) and so the pam_env one never gets
> > hit..

> So I reasoned, if I use the pam_nw_auth module, then I can put
> pam_env either before or after pam_nw_auth, because they are
> both required and the pam_unix_auth module will not be hit.
> I was wrong.  Neither case would set environmental variables.
> Only if pam_env was before both pam_unix_auth and pam_nw_auth.
> What I am still missing in my understanding?

The confusion is because 'auth' is used for both the authentication and
the setcred functions.  How far down the stack libpam goes is determined
by the return codes of the modules.  If the modules have different error
codes when run in authenticate and setcred modes, the path through the
modules will be different... To be specific, if pam_unix returns
PAM_PERM_DENIED when called from pam_authenticate, then pam_nw_auth.so
is invoked for authentication.  Then later when pam_setcred is called,
pam_unix always returns PAM_SUCCEESS and pam_nw_auth is not called...

This confusion is partly design error in libpam and partly
implementation error in pam_unix (but is a common mistake in all of the
modules).  As Derrick has pointed out in time past, the only sane thing
to do here is for the modules to 'remember' what they returned when they
were invoked in authenticate mode and return the same thing when the are
invoked in setcred mode.

Does this help clarify the situation?



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []