> OK, I'm running out of hair to pull on this one and searching Google and > SourceForge didn't help. I'm trying to build a PAM control file for testing > a new PAM module. The environment is SuSE Linux 7.0, running > Linux-PAM 0.72. I'd like to make my test-module "sort of optional" while > I'm working on it. Sounds like a tailor-made case for the "more elaborate > (newer) syntax" PAM control file: > > module-type [ value=action value=action ... ] module-path arguments > > My first attempt failed miserably, and was rather complex, so I figured I'd back > off to something really simple: Could I explicitly describe "optional" and get > the same results as "optional"? Of course, the answer is NO, or I wouldn't be > writing! > > The first problem was figuring out exactly what "optional" means in more complex > terms. According to libpam/pam_handlers.c, it's the same as "[success=ok > new_authtok_reqd=ok default=ignore]". I'd *love* to see the SysAdmin manual > (http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-4.html) include > the complex forms for all four simple forms so I won't have to go code-diving next > time. > > Second problem - coding exactly that results in different behavior from "optional". > Specifically, when my test-module returns PAM_SERVICE_ERR, later modules > in the stack aren't executed with the complex form, but are with the simple form. > > I've read the code in pam_handlers.c and pam_misc.c until my eyes crossed, and > this makes no sense to me. It's obvious how _pam_parse_conf_file() maps "optional" > to an action array, and while _pam_parse_control() isn't obvious, it's hardly rocket > science. > > What gives? Anybody understand this stuff? > > Ross Patterson > Computer Associates >
