>>>>> "Sam" == Sam Hartman <hartmans@mit.edu> writes:
>>>>> "Martin" == Martin Schwenke <martin@meltin.net> writes:
Sam> Traditionally, PAM has not been responsible for credential
Sam> establishment for local credentials. In particular, for many
Sam> applications, you don't want credentials established just
Sam> because authentication has happened. For example, an imapd
Sam> like Cyrus would never want to establish credentials as a
Sam> specific user.
True...
Sam> But wait, there's pam_setcred, that evil hack that sort of
Sam> snuck in for some reason--perhaps because someone had heard
Sam> of Kerberos and didn't quite understand it, or perhaps
Sam> because someone wanted to write pam_group. Now, we have
Sam> pam_group (I think that's the right module), which will add
Sam> you to certain groups under certain conditions; pam_krb5,
Sam> which sets up network credentials, and many other modules.
... not to mention pam_capabilities:
http://freshmeat.net/projects/pam_capability/
:-)
Sam> Long term, I think having PAM evolve to handle credentials
Sam> establishment would be a net good; it would certainly help
Sam> some of my long-term projects and would better mirror some of
Sam> the better parts of the Windows security model. (I don't
Sam> think emulating Windows for the sake of emulating Windows is
Sam> good, but in this area I think they have a better
Sam> architecture than we currently do.)
I totally agree.
Sam> Of course when you take things to their logical conclusion,
Sam> PAM would be responsible both for the setuid call *and*
Sam> initgroups; I think doing one without the other would be
Sam> wrong.
Yep... Could this be done via a session management module, say
pam_setuid or pam_setuser, which would be similar to pam_limits?
Sam> Getting to that ideal world would be very difficult; I think
Sam> the PAM upstream, libc upstream and application writers would
Sam> all disagree with us. We'd also need to think carefully
Sam> about the API and potentially change things and better define
Sam> things such that PAM could actually be responsible for user
Sam> credential management. But hey if anyone ever wants to fight
Sam> that battle, I'm certainly interested in helping.
If you ever want to fight that battle, I'm certainly interested in
helping!
Today is a good day: Sam and I agreed on nearly everything... :-)
peace & happiness,
martin
