PAM modules violating PAM architecture?, e.g. mod_auth_pam - apache 2?
Jed Donnelley
jed at nersc.gov
Sat Oct 9 02:17:14 UTC 2004
At 03:12 AM 10/7/2004, Kenneth Porter wrote:
>--On Wednesday, October 06, 2004 11:44 AM -0700 Jed Donnelley
><jed at nersc.gov> wrote:
>
>>Puzzled, I looked at mod_auth_pam.c (1.1.1) and found:
>>
>>418: pwent = getpwnam(r->connection->user);
>>and
>>464: if ((grent = getgrnam (groupname)) && grent->gr_mem) {
>
>My copy says "#define VERSION "2.0-1.1" and has only 412 lines. The
>tarball name claims version 1.1.1, found here:
>
><http://pam.sourceforge.net/mod_auth_pam/>
>
>Where did you pull your copy from?
The same. I'm referring to the 1.3 version, 1.1.1. I just pulled down the
2.0-1.1.1
version and took a look. It looks quite different. I do see:
#include <pwd.h> /* for getpwnam et.al. */
#include <grp.h> /* for getpwnam et.al. */
but then I don't see any calls to getpwnam or to getgrnam. Perhaps the
version for
Apache 2.x fixes this problem? I'd be willing to give it a try, though I
may not get
to it for a week or so.
>I do see lines like that in mod_auth_sys_group.c, which is compiled into a
>separate module.
I think that may be unavoidable due to the lack of a PAM
configuration/interface
for group lookup. Well, the call to getgrnam anyway. Do you see a call to
getpwnam?
That might cause a problem, but perhaps the best way to check would be to
try it out.
--Jed http://www.nersc.gov/~jed/
More information about the Pam-list
mailing list