[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: userid and groups questions



Scott Rachels wrote:
> My goal is not to SET uid or gid. My goal is to RETRIEVE the uid and set of
> groups to which the uid belongs for any given authentication system. I'm
> implementing an access control system that uses PAM to authenticate a user.
> I want to a) query the uid authenticated by PAM and b) query the list of
> groups to which the uid belongs. My acceess control system will then search
> for acls in my acl table that grant or deny rights to that uid or its
> groups.

PAM has an item for PAM_USER -> username.

POSIX takes care of the username->uid,gids mapping.

getpwnam(username) -> uid for username;

foreach gid {
  getgrgid(gid) -> not very efficient method for identifying all of the
users groups
}

> It seems like a PAM module should be able to set a PAM_GROUP environment
> item in the pam_sm_setcred() function. My applicatoin should then be able to
> get that item. How can I do this? Any authentication system may potentially

This is pretty similar to what libpwdb was all about... (sic) It hasn't
made much progress, the glibc nss stuff has, so I'd recommend you look
at that and see if you can do what you want with some custom nss module.

> Also, I didn't understand your answer in regards to my 1st question. I have
> pasted it below. I'm still not sure if I have two authentication mechanisms
> configured in my PAM stack, how do I know or force which one sets the
> PAM_USER item?

You should always use the pam_get_user() function. This basically does
the right thing.

> > Q1) In a configuration with multiple authentication modules, how do I know
> > (or force) which module sets the userid.  pam_authenticate() takes a
> userid,

By userid, if you mean username, then pam_get_user() is the right way to
go. As Steve L. pointed out, 'enforcing' a no-change policy is a little
hard given that the whole PAM thing runs in the context as the
application.

> > but that doesn't prevent some module for asking the conversation for a
> > userid. Say 3 modules authenticate agains 3 different authentication
> > mechanisms - each with different account databases. Each one can ask for
> and
> > get a different userid - and then set it throught pam_set_user() (or

There isn't a pam_set_user() function. Perhaps you've read a typo
somewhere and been confused? If so, tell me where -- I'd like to fix it.

> > pam_set_item()?). How do I know or force which module sets the userid. In
> > general do you always assume it is the last in the auth stack?

pam_get_user() only asks the user for a username if PAM_USER is not set,
if PAM_USER is available, you get that one. If that function didn't
exist, you would do something like:

  pam_get_item(..., PAM_USER, ... &username)
  if (username == NULL) {
	... set up a conversation for the username ...
        pam_set_item(... PAM_USER, username);
  }

I hope this clarifies things.

Cheers

Andrew



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []