[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

PAM modules that reset the user name



Hi all,

	I am working on a PAM module that maps usernames
during the authentication process. While testing this,
I've encountered two types of applications: those that
refer to pamh to retrieve the username once authentication
is complete (login is the only program of this class that
I've found so far), and those that continue to use the
initial login name they were given (every other program
I've tested (imap, chsh, su, passwd)). I'm wondering
which behavior is the "correct" behavior? Also, a lot
of applications seem to rely on the getpw*() functions
to determine the existence of a user. Is this simply a
case of legacy APIs, or am I abusing the PAM API?

	Finally, assuming that I am not doing anything
that PAM wasn't intended for, is there an accepted way
to use the PAM API to test for the existence of a user
without attempting to authenticate? For example, any
number of programs allow root to modify attributes for
other users, without requiring any authentication. Now,
this could be handled via authentication using the
pam_rootok module if listed as sufficient, but this
particular module seems to require that the real uid be
0, and not just the euid. Is this intended? 

	Any input is appreciated.

Thanks,
Chris





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []