On Mon, Jul 07, 2003 at 08:56:08AM +0200, Thorsten Kukuk wrote: > Where says the pam doc that you can change the rights between > the function calls? It doesn't say that you can, but there are many things which you can do which the spec doesn't say that you can do. The problem (assuming that you're not supposed to be able to do that) is that the spec doesn't prohibit such a thing. It's underspecified. > If you look at the RFC, pam_sesseion is called before dropping > privilegs, not after. The RFC has its own problems. The sample assumes that someone else will close the session properly, which for some authentication mechanisms is not possible without state information that dies with this process. The sample code is also incomplete, omitting crucial details which, being left open to interpretation, have bitten people badly when implementors interpreted them differently. > And that dropping the priviliges before calling the session > management is safer is a dream of some people: You have to trust > the PAM module, because you called already some functions from it > before, which are much more critical. Consider pam_limits, which to work properly must be called to open a session after privileges have been dropped (else certain limits such as that on the number of running processes prevents applications like sshd from even forking to start a shell on behalf of the user). IIRC, this is the specific reason that OpenSSH has flipflopped on this particular question before [1]. Nalin [1] http://bugzilla.mindrot.org/show_bug.cgi?id=83 _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
