[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: userid and groups questions

Andrew Morgan <morgan@transmeta.com> writes:


> PAM currently can only reliably address authentication issues. (If you
> want modules to do this, your best bet is to do it with credential
> setting or session modules, be very careful to print a warning on the
> label that they can only be used with setuid-0 programs..)


> Scott Rachels wrote:
> > 
> > My appologies for two seemingly elementary questions:
> > 
> > Q1) In a configuration with multiple authentication modules, how do I know
> > (or force) which module sets the userid.  pam_authenticate() takes a userid,
> > but that doesn't prevent some module for asking the conversation for a
> > userid. Say 3 modules authenticate agains 3 different authentication
> > mechanisms - each with different account databases. Each one can ask for and
> > get a different userid - and then set it throught pam_set_user() (or
> > pam_set_item()?). How do I know or force which module sets the userid. In
> > general do you always assume it is the last in the auth stack?


This to me sounds like an issue PAM /should/ address. Do you really want
some module other than the first one to be able to set the user id?


Tom Vaughan <tvaughan at aventail dot com>

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []