Thanks Thomas. I had not seen it stated anywhere about the effective 0 uid. That is not the behaviour I am seeing and as you say, broken calling apps may muck this up. I'm going to write my own setuid executable and use pam_exec. thanks all On Wed, Mar 13, 2013 at 11:39 AM, Tomas Mraz <tmraz@xxxxxxxxxx> wrote: > > PAM session modules (that is the modules configured in the session stack > and called through the pam_sm_open_session() and pam_sm_close_session()) > expect to be called with effective uid == 0. So there should be no need > to add any setuid helper for this functionality. Of course there might > be non-compliant applications that call the session modules with regular > user id but other modules will be broken for them as well. > -- > Tomas Mraz > No matter how far down the wrong road you've gone, turn back. > Turkish proverb > > _______________________________________________ > Pam-list mailing list > Pam-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/pam-list _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list