[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: An "orthogonal" way of using libpam



Hi Ivan,

Ivan Popov <pin@math.chalmers.se> wrote:
> On Sat, 28 Dec 2002, Joerg Sommer wrote:
>> > be handy if the user's application wants to do it's own authentication.
>>
>> I don't know, if this is a good thing or if you open with this some
>> security holes.
> 
> The applications which grant privileges (login, sshd and similar) are run
> by root anyway, so they are going to be configured by root...
> 
> An application which grants access to some user's resources is totally
> under the responsibility of that user anyway. The user already has the

And there is the question, where is the limit? What is user resource and
what should control the admin? xlock is such a case. Some students locks
their X session and go to a lecture. The next lesson in the pool could
not take all PCs because they are locked. There is it good, if the root
password can unlock the session. Otherwise we kill the processes of the
user.

If the user can ban root from unlocking his session, root has the only
way to kill the user processes. So I don't want that the user can control
the pam file for xlock.

>> Better is IMHO, if the admin can include a file into a
>> file in /etc/pam.d/x, somthing like "$HOME/.pam/x".
> 
> Why have to create identical pam entries on thousands of hosts, as soon as

Because I can so control, what the user can do and can prevent some
things, that I don't want. OK is, if I can grant rights on a user base.
Mr. A can control xlock, Mr. B can control...

> runnable on multiple administration domains, where the administrators do
> not want to touch their hosts' /etc.

ACK, that's a really bad situation. And I don't see a better solution
then yours.

>> And what is such a application, that want do authentication by its own
>> way? And what it will do different to /etc/pam.d/x?
> 
> We could run several instances of the same application (sshd, samba,
> younameit), even on the same host, with different authentication policies

ACK, but I think there is the better way to pass different service names
to pam.

Yes, I see your is need is real and I don't see any solution. But your
extention must completely be able to switch off. Then you again depend
on root, but other ways are dangerous, IMHO.

Salut, Joerg.





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []