[PATCH] pam_exec questions and possible patch

Aaron Cohen aaron at assonance.org
Wed Mar 21 23:03:34 UTC 2007


I'm currently trying to use pam_exec to call a script to synchronize
my home directories with a central server and have come across a
couple of issues.

Firstly, does pam_exec make any sense outside of the "session" section
of pam.conf?  It seems slightly hairy to me, because for instance if
it's in the auth section a user could cause a program to be executed
by another user by only unsuccessfully attempting to log in as that
user.

Secondly, is there any way to distinguish in the exec'ed program that
the session is being opened or closed?  I've finally created a simple
patch that defines a PAM_SESSION_ACTION environment variable in the
executed subprocess so that my script can do the correct actions.

Thirdly, does the seteuid option actually work correctly?  It seems to
me that it simply sets the effective user id to whatever the effective
user id already was.  My patch changes this by setting the effective
userid of the subprocess to the user id of the user who's session is
being created if this option is specified.

Thanks,
Aaron
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pam_exec.patch
Type: text/x-patch
Size: 4447 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pam-list/attachments/20070321/b7150eff/attachment.bin>


More information about the Pam-list mailing list