On Tue, 25 Jun 2002, Nalin Dahyabhai wrote: > On Tue, Jun 25, 2002 at 04:56:02PM -0400, Robert P. J. Day wrote: > > ok, i think i see why that is. according to the docs, the only time > > something with a control flag of "optional" is necessary for > > authentication is if *no* *other* module of that module type > > has either succeeded or failed. if the pam_xauth.so was the > > only "session" module type and it failed, that would mean an > > overall failure. so putting in the session permit line just > > guarantees that, even if pam_xauth.so failed, you'd still get > > an overall success. is that how it works? > > > > in that case, though, why is there a single permit line for > > the "account" module type? the same logic surely doesn't hold > > here. so i'm still a mite confused. > > The return values for stacks without any "required" or "requisite" > modules isn't defined IIRC (I *think* it's implementation-specific). > Requiring pam_permit.so removes that ambiguity. ah, so if a "stack" is defined as all entries with the same module type, then either a stack with a single "optional" entry, or a totally empty stack, would have this undefined behaviour. am i reading that correctly? rday
