[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Re: About pam_access



On Fri, 2011-05-06 at 19:32 +0000, Александр Берсенев wrote: 
> Yes, you are right, adding pam_permit.so helps.
> 
> There are some inconsistency in pam: almost half of pam_sm_setcred
> functions in auth modules are returning PAM_SUCCESS unconditionally,
> other fews are returning PAM_IGNORE:
> PAM_IGNORE: pam_access, pam_echo, pam_exec, pam_faildelay, pam_ftp,
> pam_issue, pam_sepermit, pam_succeed_if, pam_warn
> PAM_SUCCESS: pam_listfile, pam_localuser, pam_permit, pam_rhosts,
> pam_rootok, pam_securetty, pam_selinux, pam_shells, pam_timestamp,
> pam_userdb, pam_wheel
> 
> In man page says that pam_sm_setcred function performs the task of
> altering the credentials of the user with respect to the corresponding
> authorization scheme. So, If all modules not alter the
> credentials(return PAM_IGNORE) user access will be denied.
> 
> If I understand correctly, a writer of /etc/pam.d/... configs must use
> at least one module from second list in auth stack. This is nontrivial
> thing. And it seems this is impossible to patch - changes are too big.
> 
> But pam_permit in the end is working, thank you.

I think that in the next major release of Linux-PAM we should unify
these return codes in pam_sm_setcred so that the admin can depend on
them.
-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]