[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: userid and groups questions



tvaughan@aventail.com wrote:

> Andrew Morgan <morgan@transmeta.com> writes:
>
> [snip]
>
> > PAM currently can only reliably address authentication issues. (If you
> > want modules to do this, your best bet is to do it with credential
> > setting or session modules, be very careful to print a warning on the
> > label that they can only be used with setuid-0 programs..)
>
> [snip]
>
> >
> > Scott Rachels wrote:
> > >
> > > My appologies for two seemingly elementary questions:
> > >
> > > Q1) In a configuration with multiple authentication modules, how do I know
> > > (or force) which module sets the userid.  pam_authenticate() takes a userid,
> > > but that doesn't prevent some module for asking the conversation for a
> > > userid. Say 3 modules authenticate agains 3 different authentication
> > > mechanisms - each with different account databases. Each one can ask for and
> > > get a different userid - and then set it throught pam_set_user() (or
> > > pam_set_item()?). How do I know or force which module sets the userid. In
> > > general do you always assume it is the last in the auth stack?
>
> [snip]
>
> This to me sounds like an issue PAM /should/ address. Do you really want
> some module other than the first one to be able to set the user id?
>
> -Tom

Perhaps we could have "credentials" modules that would get invoked after
authentication and account management have been run?

Scott




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []