On Fri, Nov 18, Tomas Mraz wrote: > On Thu, 2011-11-17 at 16:59 +0100, Thorsten Kukuk wrote: > > On Thu, Nov 17, David Mitton wrote: > > > > > > > Which was the first thing I saw login do wrong. It calls pam_open_session > > > before pam_setcred. I'm waiting for someone to explain that. > > > > As I think somebody wrote already here: it's a bug in login where > > I did send already a patch upstream. > > Note that the original PAM RFC has an example where the pam_setcred() is > called AFTER the pam_open_session(). This conflict with the manual page > was never resolved one way or another. The requirement to call pam_setcred() before pam_open_session() was only found out later, when people did recognize that you need to set the credentials before calling pam_open_session, so that some things, which needs the credentials, can work in pam_open_session(). I remember at least pam_mount and kerberos for example. Thorsten -- Thorsten Kukuk, Project Manager/Release Manager SLES SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
