Re: Login PAM interaction suspect

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Fri, Nov 18, Tomas Mraz wrote:

> On Thu, 2011-11-17 at 16:59 +0100, Thorsten Kukuk wrote: 
> > On Thu, Nov 17, David Mitton wrote:
> > 
> > 
> > > Which was the first thing I saw login do wrong.  It calls pam_open_session 
> > > before pam_setcred.  I'm waiting for someone to explain that.
> > 
> > As I think somebody wrote already here: it's a bug in login where
> > I did send already a patch upstream.
> Note that the original PAM RFC has an example where the pam_setcred() is
> called AFTER the pam_open_session(). This conflict with the manual page
> was never resolved one way or another.

The requirement to call pam_setcred() before pam_open_session() was only
found out later, when people did recognize that you need to set the
credentials before calling pam_open_session, so that some things, which 
needs the credentials, can work in pam_open_session(). I remember
at least pam_mount and kerberos for example.


Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)

Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux