Re: [Pkg-shadow-devel] PAM_USER set by modules

[Nicolas François <nekral lists gmail com>]

[for pkg-shadow-devel readers, I'm just retrying with my address
subscribed to pam-list. Sorry for the dupplicate.]

Hello,

According to the Linux-PAM Module Writers' Guide and the Linux-PAM
Application Developers' Guide, the PAM_USER item can be set or changed by
any module, and should be checked after each call to a PAM function.


Now I'm having a problem with pam_setcred. It is specified that the UID
and GID credentials should be set before calling this function.

Is it possible that the pam_setcred function changes the PAM_USER item?
In that case, what do you think should be the behavior of applications?
(redo a setuid/setgid?)

After calling pam_setcred, I'm also calling pam_open_session, can the
PAM_USER item be changed also at that time?

Do you have examples of modules that change the PAM_USER item?



My questions are related to su (from shadow-utils), which uses the
following sequence:
 pam_start (always with a non NULL username)
 pam_authenticate
 pam_acct_mgt
 (pam_chauthtok)
 pam_setcred
 pam_open_session

Currently, su considers that it has to switch to the user specified on the
command line.

Do you think su should follow the changes made to PAM_USER? (and up to
what step in the above sequence?)
Or should su always do what it was requested to do, even if PAM_USER was
changed to authenticate another user or for any other reason?

(I'm lacking the rational or use cases for changing PAM_USER)

Thanks in advance,
-- 
Nekral