[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM and Kerberos



Nicolas Williams <Nicolas.Williams@ubsw.com> writes:

>> PAM (and PAM_KRB5) would only be called by /bin/login and /bin/su.
>> /bin/login would call pam_authenticate() and /bin/su wouldn't. Both
>> would call PAM's account/session management functions and PAM_KRB5's
>> session management would handle renaming/chowning of the user's
>> credentials file as well as setting KRB5_CCNAME.

A nit: credentials should never be chown'd, and renaming is also not a
good idea.  They should be created *as* the user.  Otherwise, you can
get into trouble with interactions with sticky bits, race conditions,
quotas, permission mapping, or a number of other unix subtleties which
all vanish when you just call creat() as the user who owns the
tickets.

Hopefully, it isn't an inherent property of PAM that you need to use
chown.

		Marc





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []