Hello Joerg! On Sat, 28 Dec 2002, Joerg Sommer wrote: > If the user can ban root from unlocking his session, root has the only > way to kill the user processes. So I don't want that the user can control > the pam file for xlock. It has nothing to do with pam, a user always can lock root out, without using pam. A trivial example: #!/bin/sh clear trap "" 1 2 3 .... while true do echo "Enter password:" read pass case x"$pass" in xMyOwnPass) break ;; esac done [then if you are running X you have to instruct the window manager to unconditionally keep focus on that window - but you do not have to be superuser to do it, just be authorized to the display] So it is just a matter of policy, what a user is allowed and not allowed to do. PAM cannot prevent locking abuse, both locking too hard or locking too loose... Regards, -- Ivan _______________________________________________ Pam-list@redhat.com https://listman.redhat.com/mailman/listinfo/pam-list
