On Sun, Jul 06, Ethan Benson wrote: > On Sun, Jul 06, 2003 at 05:54:58PM -0500, Steve Langasek wrote: > > > > Convince the OpenSSH maintainers that the current behavior is incorrect, > > and get them to change it. > > who says its incorrect? not the pam docs. pam_session running as > root has always been an assumption. Where says the pam doc that you can change the rights between the function calls? If you look at the RFC, pam_sesseion is called before dropping privilegs, not after. And that dropping the priviliges before calling the session management is safer is a dream of some people: You have to trust the PAM module, because you called already some functions from it before, which are much more critical. Thorsten -- Thorsten Kukuk http://www.suse.de/~kukuk/ kukuk@xxxxxxx SuSE Linux AG Deutschherrnstr. 15-19 D-90429 Nuernberg -------------------------------------------------------------------- Key fingerprint = A368 676B 5E1B 3E46 CFCE 2D97 F8FD 4E23 56C6 FB4B _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
