--vDEbda84Uy/oId5W Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jun 25, 2002 at 04:56:02PM -0400, Robert P. J. Day wrote: > On Tue, 25 Jun 2002, Steve Langasek wrote: > > On Tue, Jun 25, 2002 at 04:32:21PM -0400, Robert P. J. Day wrote: > > > can anyone explain the rationale behind the "pam_permit" > > > lines in, for instance, the /etc/pam.d/up2date file in red hat > > > 7.3? > > > #%PAM-1.0 > > > auth sufficient /lib/security/pam_rootok.so > > > auth required /lib/security/pam_stack.so service=3Dsystem-auth > > > session required /lib/security/pam_permit.so > > > session optional /lib/security/pam_xauth.so > > > account required /lib/security/pam_permit.so > > > as i understand it, pam_permit.so always returns success, so what > > > does it add to this file? > > It ensures that a failure in pam_xauth doesn't cause the session to > > abort. > ok, i think i see why that is. according to the docs, the only time > something with a control flag of "optional" is necessary for=20 > authentication is if *no* *other* module of that module type > has either succeeded or failed. if the pam_xauth.so was the > only "session" module type and it failed, that would mean an > overall failure. so putting in the session permit line just > guarantees that, even if pam_xauth.so failed, you'd still get > an overall success. is that how it works? Exactly. > in that case, though, why is there a single permit line for > the "account" module type? the same logic surely doesn't hold > here. so i'm still a mite confused. I assume this is because the packager doesn't want to do any additional authorization checks using PAM. (E.g., expired accounts are not an issue.) Steve Langasek postmodern programmer --vDEbda84Uy/oId5W Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9GODYKN6ufymYLloRAj1lAJ98ZkKRh7NsoE14p84mCPGzxuqdIQCbBR46 JSt6vW7n87MSJZ7tNCcxGEY= =heEv -----END PGP SIGNATURE----- --vDEbda84Uy/oId5W--
