[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM and /bin/login, acct_mgmt() vs authenticate()



On Fri, Aug 18, 2000 at 04:09:48PM -0400, Nalin Dahyabhai wrote:
> On Fri, Aug 18, 2000 at 03:38:47PM -0400, Nicolas Williams wrote:
> > One thing I realize is that several LinuxPAM modules perform account
> > authorization checks in pam_sm_authenticate() rather than in
> > pam_sm_acct_mgmt(). I think this is a mistake.
> 
> I think the last time this was brought up on this list, everyone who
> voiced an opinion agreed with that.

So these modules need fixing then?

> > I'm also mystified by the number of modules that provide noop
> > pam_sm_setcred() functions, instead of not providing any.
> 
> If your module provides pam_sm_authenticate(), you're required to provide
> pam_sm_setcred(), even if it does nothing.

Ah. Makes sense.

> > The /bin/login / PAM interaction sequence for the successful login case
> > should probably be:
> > 
> >  - process options
> >  - call pam_start()
> >  - call pam_authenticate() unless -f && euid == 0
> 
> I think there should be a call to pam_acct_mgmt() here, specifically to
> support correct usage of modules like pam_shells and pam_securetty.

Ooops. I meant to have that there. It was the main point of my post.  Doh.

> >  - call pam_open_session() to deal with utmp, logging, auditing, tty ownership
> >  - setgid(), setgroups()
> >  - call pam_setcred() to establish creds
> >  - setuid()
> >  - pam_end()
> >  - cd to the user's home directory
> >  - exec() the user's shell
> 
> You can't pam_end() before the shell starts, because you have to call
> pam_setcred(PAM_DELETE_CREDS) and pam_close_session() before you do
> that.  For this to work, login forks, handles the last two steps, and
> the parent takes care of a proper PAM shutdown when its child exits.

Hmmm. Well, that's not how Solaris 2.6 does it.

There seems to be an assumption that you can call pam_end() without
calling pam_close_session() and that later you can call pam_start()
again, use pam_set_item to set the relevant items (user, ruser, rhost,
tty) and then call pam_close_session() and pam_end().

I think this is fine, provided that PAM, or, rather, the various PAM
modules can retrieve the necessary state given just those items.

So, on Solaris, pam_close_session() is called by telnetd and friends,
not by /bin/login.

> Nalin
> 


Nico
--





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []