On Fri, Aug 18, 2000 at 04:09:48PM -0400, Nalin Dahyabhai wrote: > On Fri, Aug 18, 2000 at 03:38:47PM -0400, Nicolas Williams wrote: > > One thing I realize is that several LinuxPAM modules perform account > > authorization checks in pam_sm_authenticate() rather than in > > pam_sm_acct_mgmt(). I think this is a mistake. > > I think the last time this was brought up on this list, everyone who > voiced an opinion agreed with that. So these modules need fixing then? > > I'm also mystified by the number of modules that provide noop > > pam_sm_setcred() functions, instead of not providing any. > > If your module provides pam_sm_authenticate(), you're required to provide > pam_sm_setcred(), even if it does nothing. Ah. Makes sense. > > The /bin/login / PAM interaction sequence for the successful login case > > should probably be: > > > > - process options > > - call pam_start() > > - call pam_authenticate() unless -f && euid == 0 > > I think there should be a call to pam_acct_mgmt() here, specifically to > support correct usage of modules like pam_shells and pam_securetty. Ooops. I meant to have that there. It was the main point of my post. Doh. > > - call pam_open_session() to deal with utmp, logging, auditing, tty ownership > > - setgid(), setgroups() > > - call pam_setcred() to establish creds > > - setuid() > > - pam_end() > > - cd to the user's home directory > > - exec() the user's shell > > You can't pam_end() before the shell starts, because you have to call > pam_setcred(PAM_DELETE_CREDS) and pam_close_session() before you do > that. For this to work, login forks, handles the last two steps, and > the parent takes care of a proper PAM shutdown when its child exits. Hmmm. Well, that's not how Solaris 2.6 does it. There seems to be an assumption that you can call pam_end() without calling pam_close_session() and that later you can call pam_start() again, use pam_set_item to set the relevant items (user, ruser, rhost, tty) and then call pam_close_session() and pam_end(). I think this is fine, provided that PAM, or, rather, the various PAM modules can retrieve the necessary state given just those items. So, on Solaris, pam_close_session() is called by telnetd and friends, not by /bin/login. > Nalin > Nico --
