Hi Ivan, Ivan Popov <pin@math.chalmers.se> wrote: > On Sat, 28 Dec 2002, Joerg Sommer wrote: >> > be handy if the user's application wants to do it's own authentication. >> >> I don't know, if this is a good thing or if you open with this some >> security holes. > > The applications which grant privileges (login, sshd and similar) are run > by root anyway, so they are going to be configured by root... > > An application which grants access to some user's resources is totally > under the responsibility of that user anyway. The user already has the And there is the question, where is the limit? What is user resource and what should control the admin? xlock is such a case. Some students locks their X session and go to a lecture. The next lesson in the pool could not take all PCs because they are locked. There is it good, if the root password can unlock the session. Otherwise we kill the processes of the user. If the user can ban root from unlocking his session, root has the only way to kill the user processes. So I don't want that the user can control the pam file for xlock. >> Better is IMHO, if the admin can include a file into a >> file in /etc/pam.d/x, somthing like "$HOME/.pam/x". > > Why have to create identical pam entries on thousands of hosts, as soon as Because I can so control, what the user can do and can prevent some things, that I don't want. OK is, if I can grant rights on a user base. Mr. A can control xlock, Mr. B can control... > runnable on multiple administration domains, where the administrators do > not want to touch their hosts' /etc. ACK, that's a really bad situation. And I don't see a better solution then yours. >> And what is such a application, that want do authentication by its own >> way? And what it will do different to /etc/pam.d/x? > > We could run several instances of the same application (sshd, samba, > younameit), even on the same host, with different authentication policies ACK, but I think there is the better way to pass different service names to pam. Yes, I see your is need is real and I don't see any solution. But your extention must completely be able to switch off. Then you again depend on root, but other ways are dangerous, IMHO. Salut, Joerg. _______________________________________________ Pam-list@redhat.com https://listman.redhat.com/mailman/listinfo/pam-list
