"David J. MacKenzie" wrote: > Right, su should call pam_setcred to both create and delete the credentials. > The current distribution of su in Linux-Mandrake sh-utils only calls it > to create them. I suspect other Linux distributions are using the > same PAM patches, but I haven't checked. I just want to say that I don't believe that su should skip the session calls. Having the hooks for session calls is something the admin can choose to use or not use as they see fit. (They can always put pam_permit.so modules to make the calls no-ops, but for auditing reasons these hooks are very useful to the admin.) BTW, I realize that folk prefer to modify existing applications to support PAM, but there are some reference applications available for things like login and su here: http://cvs.sourceforge.net/cgi-bin/cvsweb.cgi/applications/SimplePAMApps/pamapps/?cvsroot=pam I'd be interested if folk find the stated 'linux utility' problems with these applications. Cheers Andrew
