[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Does pam_env.so work?

On Thu, 5 Nov 1998, Andrew Morgan wrote:

> > What I am still missing in my understanding?
> This confusion is partly design error in libpam and partly
> implementation error in pam_unix (but is a common mistake in all of the
> modules).  As Derrick has pointed out in time past, the only sane thing
> to do here is for the modules to 'remember' what they returned when they
> were invoked in authenticate mode and return the same thing when the are
> invoked in setcred mode.
> Does this help clarify the situation?

Yes.  I am grateful for the detailed explanation.

But now I would like to ask a general question that grows out
of this concrete case.  As should be apparent, I am roughly
in the category of "stupid user" (who happens to be an
administrator for a small departmental system).  

When I read the PAM System Administrator Guide, it all sounded
quite reasonable, and even brilliant in its intention.  But it 
is slowly dawning on me, that the "real, existing" state of modules is
such that one almost has to be a module developer oneself, and study the
source code for each module to know/understand how it is really working. 

This may sound like sour grapes.  It is not meant to be.
Rather I have been interested to write some small additions
to the documentation to warn/explain for people what they 
should look out for.  But I keep finding myself over
my head.   I wouldn't, for example, know how to write
an addition to the pam_env documentation to explain about
the above situation.  Hmmm...or it would of the following
sort.  "Make sure to put pam_env.so before any authentication modules"

And when it is pointed out that it is a common
mistake in all modules, then I find myself thinking that
all bets are off when one uses a module until one does 
some empirical experiments.  The docs are often more a 
statement of intentions, then a description of operations.  
I think I'll wait for Jim Dennis's promised article (-:

I am sure the PAM libraries do what they are supposed to do,
and that the "rules" are documented in the RFC and API. 
But it seems that the existing modules and the interactions between
applications and modules are not always corresponding to
the visions that the docs are presenting.  Is that fair
to say?  

I like PAM, but it is also "caveat emptor"


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []