[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: userid and groups questions



Thanks for your response. Let me clarify my goal:

My goal is not to SET uid or gid. My goal is to RETRIEVE the uid and set of
groups to which the uid belongs for any given authentication system. I'm
implementing an access control system that uses PAM to authenticate a user.
I want to a) query the uid authenticated by PAM and b) query the list of
groups to which the uid belongs. My acceess control system will then search
for acls in my acl table that grant or deny rights to that uid or its
groups.

It seems like a PAM module should be able to set a PAM_GROUP environment
item in the pam_sm_setcred() function. My applicatoin should then be able to
get that item. How can I do this? Any authentication system may potentially
define groups and assign users to those groups. I want to be able to
retrieve those groups independent of the authentication system. Thus the
groups are not necessarily retrievable from the nss support in glibc.

Also, I didn't understand your answer in regards to my 1st question. I have
pasted it below. I'm still not sure if I have two authentication mechanisms
configured in my PAM stack, how do I know or force which one sets the
PAM_USER item?
> Q1) In a configuration with multiple authentication modules, how do I know
> (or force) which module sets the userid.  pam_authenticate() takes a
userid,
> but that doesn't prevent some module for asking the conversation for a
> userid. Say 3 modules authenticate agains 3 different authentication
> mechanisms - each with different account databases. Each one can ask for
and
> get a different userid - and then set it throught pam_set_user() (or
> pam_set_item()?). How do I know or force which module sets the userid. In
> general do you always assume it is the last in the auth stack?
>

Thanks again!

----- Original Message -----
From: Andrew Morgan <morgan@transmeta.com>
To: <pam-list@redhat.com>
Sent: Wednesday, September 22, 1999 4:11 PM
Subject: Re: userid and groups questions


> If you want to alter the user-uid and user-group&gid mappings, you need
> to look into the nss support in glibc.
>
> Its the application that is responsible for setting the uid and gid(s).
> Realize that some applications have no need to do this (databases for
> example).
>




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []