[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Linux PAM fixes



On Thu, Jan 25, 2001 at 08:40:30AM -0800, Andrew Morgan wrote:
> "David J. MacKenzie" wrote:
> > Right, su should call pam_setcred to both create and delete the credentials.
> > The current distribution of su in Linux-Mandrake sh-utils only calls it
> > to create them.  I suspect other Linux distributions are using the
> > same PAM patches, but I haven't checked.
> 
> I just want to say that I don't believe that su should skip the session
> calls. Having the hooks for session calls is something the admin can
> choose to use or not use as they see fit. (They can always put
> pam_permit.so modules to make the calls no-ops, but for auditing reasons
> these hooks are very useful to the admin.)

This is true as long as su uses a su-specific PAM_SERVICE name, which it
should and does.

That convinces me. Su should call the session functions.

> Cheers
> 
> Andrew


Nico
--





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []