On Wed, Nov 16, David Mitton wrote: > Quoting Nicolas François <nekral.lists@xxxxxxxxx>: > >> Hello, >> >> On Wed, Nov 16, 2011 at 10:38:55AM -0500, David Mitton wrote: >>> >>> This was discussed in some other forum (which I lost my breadcrumbs to). >>> It's moot to me, as I currently don't plan on changing that value. >>> But login should not assume that getpwnam(PAM_USER) will work until >>> committed with a setcred. >> >> OK. I see your point and getpwnam() should be delayed as much as possible. >> >> However, login is required to setuid(<UID>) / setgid(<GID>) before >> setcred, and <UID> or <GID> can only be found using getpwnam(PAM_USER). > > Why would that be? Because else pam_setcred cannot modify them and calling them afterwards would invalidate all changes pam_setcred() is doing. > and where is it written? Did you ever read the manual page about pam_setcred()? "Such credentials should be established, by the application, prior to a call to this function. For example, initgroups(2) (or equivalent) should have been performed." Thorsten -- Thorsten Kukuk, Project Manager/Release Manager SLES SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
