[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: sufficient account management checking for locally definedusers

>>>>> "Martin" == Martin Schwenke <martin@meltin.net> writes:

    Sam> Why not split these two distinct checks into two modules.
    Sam> Have pam_unix do the checks for pam_unix.  Then have another
    Sam> module that determines whether you want to bypass
    Sam> network-based checks for the current user.

    Martin> That's what I'm doing right now.  It contorts the logic
    Martin> and introduces an unnecessary inefficiency.

And here's where I think is the fundamentall disagreement we have.
I'd rather see minimum code duplication and PAM modules that do one
job well rather than having too much functionality added.  Since the
function of standard unix checks and checking for local users can be
cleanly split, they should be split into two modules.  I believe it is
simpler code flow, easier to debug and more flexible.

    Sam> P.S.  You're doomed on the whole not dependening on network
    Sam> front if nss_ldap appears anywhere in your group nsswitch
    Sam> configuration.

    Martin> "getent passwd root", "getent group root" and "ls -l
    Martin> /root" don't generate any LDAP traffic.  If they did, I'd
    Martin> argue that NSS is broken.  The only LDAP traffic I see
    Martin> when I try to login as root looks to be generated by
    Martin> pam_unix!  :-(

The problem happens with the initgroups call.  I need to enumerate the
list of all groups in order to determine what suplimental groups you
are in.  The NSS interface in libc simply isn't well thought out
enough to allow for anything else.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []