Nicolas Williams <Nicolas.Williams@ubsw.com> writes: >> PAM (and PAM_KRB5) would only be called by /bin/login and /bin/su. >> /bin/login would call pam_authenticate() and /bin/su wouldn't. Both >> would call PAM's account/session management functions and PAM_KRB5's >> session management would handle renaming/chowning of the user's >> credentials file as well as setting KRB5_CCNAME. A nit: credentials should never be chown'd, and renaming is also not a good idea. They should be created *as* the user. Otherwise, you can get into trouble with interactions with sticky bits, race conditions, quotas, permission mapping, or a number of other unix subtleties which all vanish when you just call creat() as the user who owns the tickets. Hopefully, it isn't an inherent property of PAM that you need to use chown. Marc
