[for pkg-shadow-devel readers, I'm just retrying with my address subscribed to pam-list. Sorry for the dupplicate.] Hello, According to the Linux-PAM Module Writers' Guide and the Linux-PAM Application Developers' Guide, the PAM_USER item can be set or changed by any module, and should be checked after each call to a PAM function. Now I'm having a problem with pam_setcred. It is specified that the UID and GID credentials should be set before calling this function. Is it possible that the pam_setcred function changes the PAM_USER item? In that case, what do you think should be the behavior of applications? (redo a setuid/setgid?) After calling pam_setcred, I'm also calling pam_open_session, can the PAM_USER item be changed also at that time? Do you have examples of modules that change the PAM_USER item? My questions are related to su (from shadow-utils), which uses the following sequence: pam_start (always with a non NULL username) pam_authenticate pam_acct_mgt (pam_chauthtok) pam_setcred pam_open_session Currently, su considers that it has to switch to the user specified on the command line. Do you think su should follow the changes made to PAM_USER? (and up to what step in the above sequence?) Or should su always do what it was requested to do, even if PAM_USER was changed to authenticate another user or for any other reason? (I'm lacking the rational or use cases for changing PAM_USER) Thanks in advance, -- Nekral _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
