pam_succeed_if's pam_sm_setcred
Thorsten Kukuk
kukuk at suse.de
Thu Mar 5 18:45:05 UTC 2009
On Thu, Mar 05, Ian Ward Comfort wrote:
> As of Linux-PAM 1.0.4, the pam_sm_setcred function of the
> pam_succeed_if module always returns PAM_IGNORE:
>
> PAM_EXTERN int
> pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED,
> int argc UNUSED, const char **argv UNUSED)
> {
> return PAM_IGNORE;
> }
>
> Is there any design reason not to give this function the same
> succeed_if behavior that the other pam_sm_* functions have? I ask
> because I have a real-world scenario in which I'd like to use
> pam_succeed_if to skip setcred for some modules under certain
> circumstances.
As written in the manual page of pam_sm_setcred():
The way the auth stack is navigated in order to evaluate the
pam_setcred() function call, independent of the pam_sm_setcred() return
codes, is exactly the same way that it was navigated when evaluating
the pam_authenticate() library call. Typically, if a stack entry was
ignored in evaluating pam_authenticate(), it will be ignored when
libpam evaluates the pam_setcred() function call. Otherwise, the return
codes from each module specific pam_sm_setcred() call are treated as
required.
So what you wish to do is not possible.
Thorsten
--
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)
More information about the Pam-list
mailing list