Hi all, I am working on a PAM module that maps usernames during the authentication process. While testing this, I've encountered two types of applications: those that refer to pamh to retrieve the username once authentication is complete (login is the only program of this class that I've found so far), and those that continue to use the initial login name they were given (every other program I've tested (imap, chsh, su, passwd)). I'm wondering which behavior is the "correct" behavior? Also, a lot of applications seem to rely on the getpw*() functions to determine the existence of a user. Is this simply a case of legacy APIs, or am I abusing the PAM API? Finally, assuming that I am not doing anything that PAM wasn't intended for, is there an accepted way to use the PAM API to test for the existence of a user without attempting to authenticate? For example, any number of programs allow root to modify attributes for other users, without requiring any authentication. Now, this could be handled via authentication using the pam_rootok module if listed as sufficient, but this particular module seems to require that the real uid be 0, and not just the euid. Is this intended? Any input is appreciated. Thanks, Chris
