PAM stack state table
Mark Filipak
markfilipak.linux at gmail.com
Tue Oct 6 00:40:01 UTC 2009
(Previously sent before I joined - oops! - so, this topic should be new, but if it is redundant, please excuse me.)
Hi All,
I'm a hardware engineer and a computer architect, but a Linux newbie. I have a development contribution, if only to the man pages.
Background: I find some Linux man pages frustrating. I'm sure I'm not alone. Any logical process translated to English can introduce vagaries. But to just point people to .c and .h files puts a tremendous learning burden on them. I think I have a good way to portray PAM stacks. Please send me your opinions and corrections.
(Note: I included this in a message to Nalin Dahyabhai - with some errors - regarding pam_stack.so, so if you're reading this, Mr. Dahyabhai, you're off the hook if you choose to be.-)
The more I read the pam(5) man page the less I know for sure. So, being a hardware engineer, I prepared the following state table.
prev.module-output this.module this.module-output stack-output
------------------- ------------------- ------------------- ------------------
01: <prev.value>=bad <this.value>=bad <prev.value>=bad (to be determined) # could become <some.value>=die
02: <prev.value>=bad <this.value>=die <this.value>=die <this.value>=die
03: <prev.value>=bad <this.value>=done <prev.value>=bad (to be determined) # could become <some.value>=die
04: <prev.value>=bad <this.value>=ignore <prev.value>=bad (to be determined) # could become <some.value>=die
05: <prev.value>=bad <this.value>=ok <prev.value>=bad (to be determined) # could become <some.value>=die
06: <prev.value>=bad <this.value>=reset (indeterminate) (to be determined) # could become <some.value>=bad, =die, =done, =ignore, or =ok
07: <prev.value>=die (skipped) <prev.value>=die <prev.value>=die
08: <prev.value>=done (skipped) <prev.value>=done <prev.value>=done
09: <prev.value>=ignore <this.value>=bad <this.value>=bad (to be determined) # could become <some.value>=die
10: <prev.value>=ignore <this.value>=die <this.value>=die <this.value>=die
11: <prev.value>=ignore <this.value>=done <this.value>=done <this.value>=done
12: <prev.value>=ignore <this.value>=ignore <this.value>=ignore (to be determined) # could become <some.value>=bad, =die, =done, or =ok
13: <prev.value>=ignore <this.value>=ok <this.value>=ok (to be determined) # could become <some.value>=bad or =die (or =done?)
14: <prev.value>=ignore <this.value>=reset (indeterminate) (to be determined) # could become <some.value>=bad, =die, =done, =ignore, or =ok
15: <prev.value>=ok <this.value>=bad <this.value>=bad (to be determined) # could become <some.value>=die
16: <prev.value>=ok <this.value>=die <this.value>=die <this.value>=die
17: <prev.value>=ok <this.value>=done <this.value>=done <this.value>=done
18: <prev.value>=ok <this.value>=ignore <prev.value>=ok (to be determined) # could become <some.value>=bad or =die (or =done?)
19: <prev.value>=ok <this.value>=ok <this.value>=ok (to be determined) # could become <some.value>=bad or =die (or =done?)
20: <prev.value>=ok <this.value>=reset (indeterminate) (to be determined) # could become <some.value>=bad, =die, =done, =ignore, or =ok
21: <prev.value>=reset <this.value>=bad <this.value>=bad (to be determined) # could become <some.value>=die
22: <prev.value>=reset <this.value>=die <this.value>=die <this.value>=die
23: <prev.value>=reset <this.value>=done <this.value>=done <this.value>=done
24: <prev.value>=reset <this.value>=ignore <this.value>=ignore (to be determined) # could become <some.value>=bad, =die, =done, or =ok
25: <prev.value>=reset <this.value>=ok <this.value>=ok (to be determined) # could become <some.value>=bad or =die (or =done?)
26: <prev.value>=reset <this.value>=reset (indeterminate) (to be determined) # could become <some.value>=bad, =die, =done, =ignore, or =ok
27: (indeterminate) <this.value>=bad <this.value>=bad (to be determined) # could become <some.value>=die
28: (indeterminate) <this.value>=die <this.value>=die <this.value>=die
29: (indeterminate) <this.value>=done <this.value>=done <this.value>=done
30: (indeterminate) <this.value>=ignore <this.value>=ignore (to be determined) # could become <some.value>=bad, =die, =done, or =ok
31: (indeterminate) <this.value>=ok <this.value>=ok (to be determined) # could become <some.value>=bad or =die (or =done?)
32: (indeterminate) <this.value>=reset (indeterminate) (to be determined) # could become <some.value>=bad, =die, =done, =ignore, or =ok
33: (indeterminate) (stack exhausted) (indeterminate)
Notes.
In line 01, a subsequent "bad" does not trump a previous "bad".
In line 02, "die" trumps "bad". Is this true? The man page is unclear. (Also affects "could become <some.value>=die" comments.)
In lines 06, 14, 20, and 26-32, reset clears the stack, but is there some initial value? The man page says nothing.
In line 17, "done" trumps "ok". Is this true? The man page is unclear.
In line 18, a subsequent "ok" trumps a previous "ok".
In line 33, if there is no PAM auth stack (or if it ends with "reset"), is no-one authorized or is everyone authorized?
Thanks, and Ciao -- Mark Filipak, Mansfield, Ohio, U.S.A.
More information about the Pam-list
mailing list