[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: sufficient account management checking for locally definedusers



>>>>> "Sam" == Sam Hartman <hartmans@mit.edu> writes:
>>>>> "Martin" == Martin Schwenke <martin@meltin.net> writes:

    Sam> Traditionally, PAM has not been responsible for credential
    Sam> establishment for local credentials.  In particular, for many
    Sam> applications, you don't want credentials established just
    Sam> because authentication has happened.  For example, an imapd
    Sam> like Cyrus would never want to establish credentials as a
    Sam> specific user.

True...

    Sam> But wait, there's pam_setcred, that evil hack that sort of
    Sam> snuck in for some reason--perhaps because someone had heard
    Sam> of Kerberos and didn't quite understand it, or perhaps
    Sam> because someone wanted to write pam_group.  Now, we have
    Sam> pam_group (I think that's the right module), which will add
    Sam> you to certain groups under certain conditions; pam_krb5,
    Sam> which sets up network credentials, and many other modules.

... not to mention pam_capabilities:

  http://freshmeat.net/projects/pam_capability/

:-)

    Sam> Long term, I think having PAM evolve to handle credentials
    Sam> establishment would be a net good; it would certainly help
    Sam> some of my long-term projects and would better mirror some of
    Sam> the better parts of the Windows security model.  (I don't
    Sam> think emulating Windows for the sake of emulating Windows is
    Sam> good, but in this area I think they have a better
    Sam> architecture than we currently do.)

I totally agree.

    Sam> Of course when you take things to their logical conclusion,
    Sam> PAM would be responsible both for the setuid call *and*
    Sam> initgroups; I think doing one without the other would be
    Sam> wrong.

Yep...  Could this be done via a session management module, say
pam_setuid or pam_setuser, which would be similar to pam_limits?

    Sam> Getting to that ideal world would be very difficult; I think
    Sam> the PAM upstream, libc upstream and application writers would
    Sam> all disagree with us.  We'd also need to think carefully
    Sam> about the API and potentially change things and better define
    Sam> things such that PAM could actually be responsible for user
    Sam> credential management.  But hey if anyone ever wants to fight
    Sam> that battle, I'm certainly interested in helping.

If you ever want to fight that battle, I'm certainly interested in
helping!

Today is a good day: Sam and I agreed on nearly everything...  :-)

peace & happiness,
martin





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []