[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_succeed_if's pam_sm_setcred



On Thu, Mar 05, Ian Ward Comfort wrote:

> As of Linux-PAM 1.0.4, the pam_sm_setcred function of the  
> pam_succeed_if module always returns PAM_IGNORE:
> 
>     PAM_EXTERN int
>     pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED,
>                    int argc UNUSED, const char **argv UNUSED)
>     {
>             return PAM_IGNORE;
>     }
> 
> Is there any design reason not to give this function the same  
> succeed_if behavior that the other pam_sm_* functions have?  I ask  
> because I have a real-world scenario in which I'd like to use  
> pam_succeed_if to skip setcred for some modules under certain  
> circumstances.

As written in the manual page of pam_sm_setcred():

       The way the auth stack is navigated in order to evaluate the
       pam_setcred() function call, independent of the pam_sm_setcred() return
       codes, is exactly the same way that it was navigated when evaluating
       the pam_authenticate() library call. Typically, if a stack entry was
       ignored in evaluating pam_authenticate(), it will be ignored when
       libpam evaluates the pam_setcred() function call. Otherwise, the return
       codes from each module specific pam_sm_setcred() call are treated as
       required.

So what you wish to do is not possible.

  Thorsten

-- 
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]