On Tue, 25 Jun 2002, Steve Langasek wrote: > On Tue, Jun 25, 2002 at 04:32:21PM -0400, Robert P. J. Day wrote: > > can anyone explain the rationale behind the "pam_permit" > > lines in, for instance, the /etc/pam.d/up2date file in red hat > > 7.3? > > > #%PAM-1.0 > > auth sufficient /lib/security/pam_rootok.so > > auth required /lib/security/pam_stack.so service=system-auth > > session required /lib/security/pam_permit.so > > session optional /lib/security/pam_xauth.so > > account required /lib/security/pam_permit.so > > > as i understand it, pam_permit.so always returns success, so what > > does it add to this file? > > It ensures that a failure in pam_xauth doesn't cause the session to > abort. ok, i think i see why that is. according to the docs, the only time something with a control flag of "optional" is necessary for authentication is if *no* *other* module of that module type has either succeeded or failed. if the pam_xauth.so was the only "session" module type and it failed, that would mean an overall failure. so putting in the session permit line just guarantees that, even if pam_xauth.so failed, you'd still get an overall success. is that how it works? in that case, though, why is there a single permit line for the "account" module type? the same logic surely doesn't hold here. so i'm still a mite confused. rday
