[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: yet more pam config file questions



On Tue, Jun 25, 2002 at 04:56:02PM -0400, Robert P. J. Day wrote:
> On Tue, 25 Jun 2002, Steve Langasek wrote:

> > On Tue, Jun 25, 2002 at 04:32:21PM -0400, Robert P. J. Day wrote:
> > >   can anyone explain the rationale behind the "pam_permit"
> > > lines in, for instance, the /etc/pam.d/up2date file in red hat
> > > 7.3?

> > > #%PAM-1.0
> > > auth       sufficient	/lib/security/pam_rootok.so
> > > auth       required	/lib/security/pam_stack.so service=system-auth
> > > session    required	/lib/security/pam_permit.so
> > > session    optional	/lib/security/pam_xauth.so
> > > account    required	/lib/security/pam_permit.so

> > >   as i understand it, pam_permit.so always returns success, so what
> > > does it add to this file?

> > It ensures that a failure in pam_xauth doesn't cause the session to
> > abort.

> ok, i think i see why that is.  according to the docs, the only time
> something with a control flag of "optional" is necessary for 
> authentication is if *no* *other* module of that module type
> has either succeeded or failed.  if the pam_xauth.so was the
> only "session" module type and it failed, that would mean an
> overall failure.  so putting in the session permit line just
> guarantees that, even if pam_xauth.so failed, you'd still get
> an overall success.  is that how it works?

Exactly.

> in that case, though, why is there a single permit line for
> the "account" module type?  the same logic surely doesn't hold
> here.  so i'm still a mite confused.

I assume this is because the packager doesn't want to do any additional
authorization checks using PAM.  (E.g., expired accounts are not an
issue.)

Steve Langasek
postmodern programmer

Attachment: pgp00006.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []