I am the maintainer of the pam_mount module, which allows volumes to be mounted when a user logs on and unmounted when he logs off. What is the proper behavior (if there is one) of PAM-enabled applications when a user logs off? Should pam_sm_close_session-related code be run with a uid or euid of 0? Here is what I have come across: The su included in the version of Debian I use maintains its euid of 0 after forking and execing a shell. This results in pam_sm_close_session code being executed with a euid of 0. The login included in the version of Debian I use drops its priveleges, resulting in pam_sm_close_session code being executed as some user (much different behavior than su). The (broken) su included in openpam (FreeBSD, etc.) drops all priveleges before forking and execing a shell, resulting in pam_sm_close_session code executing as some user. Obviously I am seeing several different behaviors. Is one proper? Certainly, for my purposes I hope that pam_sm_close_session code should be run with an euid of 0. Thank you. -- Mike _______________________________________________ Pam-list@xxxxxxxxxx https://listman.redhat.com/mailman/listinfo/pam-list
