On Wed, Mar 21, Aaron Cohen wrote: > I'm currently trying to use pam_exec to call a script to synchronize > my home directories with a central server and have come across a > couple of issues. > > Firstly, does pam_exec make any sense outside of the "session" section > of pam.conf? Yes, it makes. Only look at the example section of the manual page. > It seems slightly hairy to me, because for instance if > it's in the auth section a user could cause a program to be executed > by another user by only unsuccessfully attempting to log in as that > user. Only an admin can configure this module, so it depends on what he allows and what not. > Secondly, is there any way to distinguish in the exec'ed program that > the session is being opened or closed? I've finally created a simple > patch that defines a PAM_SESSION_ACTION environment variable in the > executed subprocess so that my script can do the correct actions. > > Thirdly, does the seteuid option actually work correctly? Yes, it does. Please also look at the example section of the manual page. > It seems to > me that it simply sets the effective user id to whatever the effective > user id already was. Correct, it sets the effective user id to the one of the calling application. > My patch changes this by setting the effective > userid of the subprocess to the user id of the user who's session is > being created if this option is specified. This change breaks all available configurations, especially the example from the manual page. Please introduce new options, not change existing one. Thorsten -- Thorsten Kukuk, Project Manager Base System, Release Manager SLES SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg GF: Markus Rex, HRB 16746 (AG Nuernberg) _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
