[Pkg-shadow-devel] PAM_USER set by modules
Nicolas François
nekral.lists at gmail.com
Wed May 21 08:04:04 UTC 2008
[for pkg-shadow-devel readers, I'm just retrying with my address
subscribed to pam-list. Sorry for the dupplicate.]
Hello,
According to the Linux-PAM Module Writers' Guide and the Linux-PAM
Application Developers' Guide, the PAM_USER item can be set or changed by
any module, and should be checked after each call to a PAM function.
Now I'm having a problem with pam_setcred. It is specified that the UID
and GID credentials should be set before calling this function.
Is it possible that the pam_setcred function changes the PAM_USER item?
In that case, what do you think should be the behavior of applications?
(redo a setuid/setgid?)
After calling pam_setcred, I'm also calling pam_open_session, can the
PAM_USER item be changed also at that time?
Do you have examples of modules that change the PAM_USER item?
My questions are related to su (from shadow-utils), which uses the
following sequence:
pam_start (always with a non NULL username)
pam_authenticate
pam_acct_mgt
(pam_chauthtok)
pam_setcred
pam_open_session
Currently, su considers that it has to switch to the user specified on the
command line.
Do you think su should follow the changes made to PAM_USER? (and up to
what step in the above sequence?)
Or should su always do what it was requested to do, even if PAM_USER was
changed to authenticate another user or for any other reason?
(I'm lacking the rational or use cases for changing PAM_USER)
Thanks in advance,
--
Nekral
More information about the Pam-list
mailing list