[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Does pam_env.so work?



Seth Chaiklin wrote:
> On Thu, 5 Nov 1998, Andrew Morgan wrote:
> > Does this help clarify the situation?
> 
> Yes.  I am grateful for the detailed explanation.
> 
[..]
> When I read the PAM System Administrator Guide, it all sounded
> quite reasonable, and even brilliant in its intention.  But it
> is slowly dawning on me, that the "real, existing" state of modules is
> such that one almost has to be a module developer oneself, and study the
> source code for each module to know/understand how it is really working.

This is true.  This is why we need more friendly documentation, that can
warn the user of this type of problem.

> This may sound like sour grapes.  It is not meant to be.
> Rather I have been interested to write some small additions
> to the documentation to warn/explain for people what they
> should look out for.  But I keep finding myself over
> my head.   I wouldn't, for example, know how to write
> an addition to the pam_env documentation to explain about
> the above situation.  Hmmm...or it would of the following
> sort.  "Make sure to put pam_env.so before any authentication modules"

This sentance is something more than a naive admin would understand.  I
think this is something that should find its way into the guide.  You
might add some text to say that the control flags act on the
success/failure of stuff and thus the position of this module is likely
to have a significant effect on whether it is executed or not.

> And when it is pointed out that it is a common
> mistake in all modules, then I find myself thinking that
> all bets are off when one uses a module until one does
> some empirical experiments.  The docs are often more a
> statement of intentions, then a description of operations.

Indeed, the documentation is more optimistic than the code at this
point.  But, where a module does not do the right thing it is a _bug_
and some clear documentation would go a long way to making it obvious
when a bug has been found by someone who does not know how to program...

> I think I'll wait for Jim Dennis's promised article (-:

I suspect Jim is waiting for the documentation to be clearer...

> I am sure the PAM libraries do what they are supposed to do,
> and that the "rules" are documented in the RFC and API.

I'm not.  Problem reports are one thing that will improve PAM.  Without
some documentation, people have a hard time knowing what to expect.

> But it seems that the existing modules and the interactions between
> applications and modules are not always corresponding to
> the visions that the docs are presenting.  Is that fair
> to say?

In general, people use the default settings.  By experimenting with
things, you are pushing the envelope and will find documentation
problems and bugs in modules too... I hope!

> I like PAM, but it is also "caveat emptor"

The buyer may have to beware, but I'd like to offer the alterative
philosophy that everything is hard before it is easy.. Please continue
to ask questions, and please continue to submit snippets of text for the
documentation (this goes for everyone!).  So far you've added about a
page of text to the admin guide.  I've just added a note on this issue
to the module writer's guide to reflect the above problem too.

So thanks!

Andrew



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []