On Thu, Jan 25, 2001 at 08:40:30AM -0800, Andrew Morgan wrote: > "David J. MacKenzie" wrote: > > Right, su should call pam_setcred to both create and delete the credentials. > > The current distribution of su in Linux-Mandrake sh-utils only calls it > > to create them. I suspect other Linux distributions are using the > > same PAM patches, but I haven't checked. > > I just want to say that I don't believe that su should skip the session > calls. Having the hooks for session calls is something the admin can > choose to use or not use as they see fit. (They can always put > pam_permit.so modules to make the calls no-ops, but for auditing reasons > these hooks are very useful to the admin.) This is true as long as su uses a su-specific PAM_SERVICE name, which it should and does. That convinces me. Su should call the session functions. > Cheers > > Andrew Nico --
