[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_mkhomdir fix(ldap, su problem)

On Mon, Jul 07, 2003 at 08:56:08AM +0200, Thorsten Kukuk wrote:
> Where says the pam doc that you can change the rights between
> the function calls?

It doesn't say that you can, but there are many things which you can do
which the spec doesn't say that you can do.  The problem (assuming that
you're not supposed to be able to do that) is that the spec doesn't
prohibit such a thing.  It's underspecified.

> If you look at the RFC, pam_sesseion is called before dropping
> privilegs, not after.

The RFC has its own problems.  The sample assumes that someone else will
close the session properly, which for some authentication mechanisms is
not possible without state information that dies with this process.  The
sample code is also incomplete, omitting crucial details which, being
left open to interpretation, have bitten people badly when implementors
interpreted them differently.

> And that dropping the priviliges before calling the session 
> management is safer is a dream of some people: You have to trust
> the PAM module, because you called already some functions from it
> before, which are much more critical.

Consider pam_limits, which to work properly must be called to open a
session after privileges have been dropped (else certain limits such as
that on the number of running processes prevents applications like sshd
from even forking to start a shell on behalf of the user).  IIRC, this
is the specific reason that OpenSSH has flipflopped on this particular
question before [1].


[1] http://bugzilla.mindrot.org/show_bug.cgi?id=83

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]