What a mess. The basic problem is that pam_setcred is an interesting concept without much of a formal definition. (For example, when/how will a module require credentials be refreshed?) The original PAM RFC: http://www.kernel.org/pub/linux/libs/pam/pre/doc/rfc86.0.txt.gz Contains an explicit example (see "APPENDIX B. SAMPLE PAM APPLICATION") where it is pretty explicit that the setcred(pamh, PAM_ESTABLISH_CRED) call happens after the session is opened. However, as commented here (by Ted in May of this year): http://www.mailgate.org/linux/linux.redhat.pam/msg01757.html this doesn't actually make much sense... Looking through the sources for Linux-PAM, I believe that we presently advocate the reverse policy from that which rfc86.0 was suggesting. Indeed, I believe that all of the Linux-PAM sources code and documentation presently recommend setcred before open_session (this is from documentation of February this year): http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/pam/Linux-PAM/doc/pam_modules.sgml.diff?r1=1.3&r2=1.4 http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/pam/Linux-PAM/doc/pam_appl.sgml.diff?r1=1.3&r2=1.4 What currently confuses me about all this is the relative timing of these changes. Perhaps I was just cleaning house, or perhaps someone pointed out the incosistent state of the world at around that time? Whatever the case, this appears to have been all dealt with as part of Bug 229775. Cheers Andrew
