[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: module unload?



On Thu, 6 Apr 2000, Michael Tokarev wrote:

> I noticied some strange thing.
> Then I use login, su or other pamified app that implements session management,
> it will execute, say, shell, and waits for it to terminate:

>  $ su -
>  Password: ...
>  # ps
>    PID TTY          TIME CMD
>  25989 pts/0    00:00:00 su  <---
>  ^^^^^
>  25990 pts/0    00:00:00 sh
>  26008 pts/0    00:00:00 ps
>  # _

> But:
>  # lsof /lib/security/pam_cracklib.so
>  COMMAND   PID USER  FD   TYPE DEVICE  SIZE NODE NAME
>  su      25989 root mem    REG    3,1 25041 5942 /lib/security/pam_cracklib.so
>          ^^^^^
>  # _

> So, pam_cracklib (just an example -- my "favorite" module) is loaded by su.
> But this module is not responsible for session management, it is
> not responsible even for autentification!

> Hence the (expected) question ...
> Why libpam loads all modules (here is more example:
>  # lsof /lib/security/*.so | fgrep 25989
>  su      25989 root mem    REG    3,1  4799 5911 /lib/security/pam_deny.so
>  su      25989 root mem    REG    3,1 38801 5939 /lib/security/pam_pwdb.so
>  su      25989 root mem    REG    3,1 25041 5942 /lib/security/pam_cracklib.so
>  su      25989 root mem    REG    3,1 16674 5938 /lib/security/pam_xauth.so
> here is all modules listed in /etc/pam.d/su!),
> and why it does not unloads them on session start?

Simply put, these modules are not unloaded because the PAM library has no
way of knowing that the application is done with them until pam_end() is
called.  For instance, there is nothing in the PAM spec to prevent an
application from doing:
pam_start()
pam_authenticate()
pam_setcred(.. PAM_ESTABLISH_CRED)
pam_acct_mgmt()
pam_open_session()
pam_setcred(.. PAM_REFRESH_CRED)
pam_chauthtok()
pam_close_session()
pam_end()

So all referenced modules are loaded when the PAM library is given the
service name (during pam_start), and they aren't closed until the PAM
library is sure they won't be used again.

Steve Langasek
postmodern programmer



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []