[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: userid and groups questions



Both of these questions represent a running sore with PAM. libpwdb was
invented to partially address this sort of thing, but events have
somewhat overtaken it to the point that pwdb looks like it might be a
dead end. Glibc has a lot of nice 'nss' stuff that acts as a back end to
the posix getpw*() functions and thats how this information is known to
non-authenticating aspects of a linux system. (Think ls, who, chown
etc..)

If you want to alter the user-uid and user-group&gid mappings, you need
to look into the nss support in glibc.

Its the application that is responsible for setting the uid and gid(s).
Realize that some applications have no need to do this (databases for
example).

PAM currently can only reliably address authentication issues. (If you
want modules to do this, your best bet is to do it with credential
setting or session modules, be very careful to print a warning on the
label that they can only be used with setuid-0 programs..)

I hope this helps

Cheers

Andrew

Scott Rachels wrote:
> 
> My appologies for two seemingly elementary questions:
> 
> Q1) In a configuration with multiple authentication modules, how do I know
> (or force) which module sets the userid.  pam_authenticate() takes a userid,
> but that doesn't prevent some module for asking the conversation for a
> userid. Say 3 modules authenticate agains 3 different authentication
> mechanisms - each with different account databases. Each one can ask for and
> get a different userid - and then set it throught pam_set_user() (or
> pam_set_item()?). How do I know or force which module sets the userid. In
> general do you always assume it is the last in the auth stack?
> 
> Q2) How does my PAM-enabled application obtain a list of groups to which a
> PAM authenticated user belongs? The list of group is tied to a PAM module.
> For example, I may have a pam_myauth module followed by a pam_pwdb module. I
> want to get a list of groups for this user from both authentication
> mechanism. There doesn't seem to be a standard way to set or get group
> membership from a pam module's authentication mechanism. I think
> pam_sm_set_cred() should set a standard pam item called PAM_GROUPS, then any
> module can append its groups to that item. My app just calls
> pam_get_item(PAM_GROUPS) to retrieve all groups from all authentication
> mechanisms.
> 
> Thanks for your help in understanding.
> 
> Scott Rachels
> 
> --
> To unsubscribe: mail -s unsubscribe pam-list-request@redhat.com < /dev/null



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []