Hello, friends.
While writing a PAM module to implement some credentials restriction rules required by my company, I was somewhat surprised by the behavior of the pam_rootok module, which is used by services like "su" and "su-l" (on stock RHEL7).
After some debugging and playing around, it was nothing that changing the order of the modules for the "auth" stack couldn't work around, by moving my module up, above pam_rootok (that has a "sufficient" control value in the default configuration), in fact making it the very first module in the stack.
However, since I want my company's restrictions to be the last thing to be applied, and some other module _might_ (now or in the future) have something else in pam_sm_setcred(), I got a little bit concerned about placing it as the very first rule.
I then downloaded the source code and took a look on it, and started wondering about a few things:
1) If pam_rootok.so doesn't really do anything in pam_sm_setcred(), why does it return PAM_SUCCESS, instead of PAM_IGNORE?
2) If the default no-op return code changed from PAM_SUCCESS to PAM_IGNORE, would it cause a big disruption?
3) Wouldn't it be nice if even the "no-op" functions would display something when the "debug" option is applied to the module?
Thank you for your attention.
Regards,--
Paulo A. P. Pires
... Qui habet aurem audiat quid Spiritus dicat ecclesiis.
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
