On Sat, May 12, 2001 at 05:14:20PM -0400, Sam Hartman wrote: > > So, both the Linux-PAM and Solaris documentation tell authors to call > pam_open_session before pam_setcred. I don't understand why this > would ever be useful and have examples of cases where it would be a > bad idea. (Redacting a zephyr conversation which I had with Sam this afternoon) The main reason that I can think of for the ordering dictated by the PAM specification is to allow for situation where the session initialization is needed to establish a location for where credentials to be stored by pam_setcred. > But then it seems that it would be a session level activity to mount a > homedir, or create a homedir, or in my case let AFS know about tokens. > None of these activities have anything to do with authentication, but > all of them could depend on having access to network authentication > made available in setcred. For example, I could be using a networked > filesystem with authentication to mount the homedir. I could desire > to log into a database to get information on the initial contents of > the homedir, authenticating to the database with the network identity > of the already authenticated user. In the AFS case I need the > credentials to convert them into tokens. Remote filesystems have always been problematic, since often you *must* want to establish credentials before you can access the user's home directory. So saying that pam_setcred happens after the pam_session is established is problematic. In practice, the way this problem is handled today is to have the Kerberos and Pam modules establish credentials using a session hook, and not using pam_setcred. This *does* work, but arguably one can ask then what's the point of having pam_setcred? As far as Sam's suggestion to change the order in which pam_setcred should be called, apparently we have a problem in that a number of applications, including login, which are calling things in the "wrong" order, i.e., calling pam_setcred before pam_open_session. This is despite the wording in section 3.2 of the PAM module writer's guide which states that pam_set_cred MUST be called after a session established using pam_open_session, and despite the wording in section 3.1.8 of the PAM application writer's guide, which says that it is "usually called" after a session has been opened for the user. OSF-DCE RFC 86.0 also makes it clear in the sample code that pam_setcred() The fact that some applications are calling pam_set_cred() and pam_open_session() in an indeterminate order is his justification for changing things so that the "right" order is the exact opposite of what is currently documented, and which matches the order used by login. (i.e., calling pam_setcred() before pam_open_session().) I'd argue that it's probably better, in terms of Sun/DCE interoperability to say that the "right" order is what's currently documented, both in the Sun and Linux-PAM documentation, but to deprecate the usage of pam_setcred. Specifically, in the case of things like Kerberos and AFS where it's necessary to establish credentials early, that's it's documented and recommended that credentials establishment take place during pam_open_session(). Of course, those applications like login which are calling pam_setcred() in the wrong order should be fixed, and the documentation in the application writer's guide should probably be strengthened to match the language in the pam module writer's guide. - Ted
