Re: _pam_dispatch_aux does not ignore chained setcred on skip action

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I guess I'm completely confused by your observations. Could you try again to explain what you think is wrong?

Here is how it works:

The jumps are taken/not taken in exactly the way they were 'frozen' in the 'auth' phase - the return codes from the 'cred' phase don't affect the path through the stack - just the final return code.

In the auth case, the module should be able to determine if it likes the user: the admin defines the path through the stack based on the modules return codes, and this path is frozen in the 'auth' phase. If the module likes the user when run in its 'auth' mode, it may have a credential to offer in the later phase - or it can say 'I know you authenticated before, but I've just encountered a credential setting error so we have a problem and I'm throwing you an error in this setcred phase'.

In the case that the module fails the auth, when it is invoked in the setcred phase it should return PAM_SUCCESS (=I did nothing and that's ok) or PAM_IGNORE (=I did nothing).

Again, the jump directions are not dictated by the 'cred' responses in any way. They've been frozen in the 'auth' phase. The only thing that the 'cred' responses affect is the final return code from the pam_setcred() call.

I fail to see what is broken about this. Perhaps you could clarify your position again?

Thanks

Andrew

Sam Hartman wrote:
"Andrew" == Andrew Morgan <morgan@xxxxxxxxxxxxx> writes: 



    Andrew> The error status for the setcred sequence is treated as if
    Andrew> the module was listed 'cred required ...'. That is, the
    Andrew> chain will execute everything and fail if one of the
    Andrew> modules returns an error.

Yes.  And my point is that this seems like a bogus design decision in
the case of a skip/jump action.

Again, I reask my question: in the case of a jump action, why do you
want to treat the module as required.  When is this ever the behavior
users want?

In the absence of a compelling justification, I will change the
behavior.


_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list



_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux