[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Is this legitimate? (Module/application interaction.)

On 04-Nov-98 Andrew Morgan wrote:
> Allan Bjorklund wrote:
>>    Never mind.  I just found the text that implies I can't do this.
>>    Section 7.3 of X/Open rfc 86.0:
>>      ... we have designed the PAM API's to not return any data to
>>      the
>>      application, except status.
>>    Though in section 11 it says:
>>      One possible extension to PAM is to allow the passing of
>>      module-specific data between applications and PAM modules.
>>    Which would help me out if that work had been done.  I can do the
>> authentication inside a module, but the authentication routine
>> returns
>> pieces that need to be propogated back up to the application. <sigh>
> Are environment variables (pam_putenv/getenv) sufficient?

  For some items yes, except that I'm worried about the security of
items placed there.  Other items are binary data of various sizes.

> The pam_[sg]et_item()s are the other obvious interface..  If someone
> could come up with a PAM_SESSION_INFO item-type that had sufficiently
> low maintenance cost but a high extensibility, I can think of a
> number
> of things that might benefit from it.

  Let's see...

    Application places a structure in place with a name tag being the
first element.  Module checks this name tag, if it recognizes it, it can
fill it in, otherwise ignore.  The application would be responsible for
clean up.

  Or the structure could be like this:

      struct session_data {
               char                *name_tag;
               struct session_data *next;
               int                 (*cleanup)(clean up parameters);
               void                *session_data_ptr;

  Modules could then chain various data they would like to export to
the application.

  Alternatively, omit the clean up function and have the application put
the list in place.  The modules can then check the list to see if there
is a name tag they recognize in it.  The application becomes responsible
for clean up.  Could also remove the *next and just use a name_tag ==
NULL to mark the end of this list if we have the application allocate
the list all at once.


  Allan Bjorklund                  |                  allan@umich.edu
  Systems Research Programmer      |           University of Michigan
  Information Technology Division  |               535 W. William St.
  1-(734)-763-9391                 |              Ann Arbor, MI 48103

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []