PAM modules violating PAM architecture?, e.g. mod_auth_pam - apache 2?

Jed Donnelley jed at nersc.gov
Sat Oct 9 02:17:14 UTC 2004


At 03:12 AM 10/7/2004, Kenneth Porter wrote:
>--On Wednesday, October 06, 2004 11:44 AM -0700 Jed Donnelley 
><jed at nersc.gov> wrote:
>
>>Puzzled, I looked at mod_auth_pam.c (1.1.1) and found:
>>
>>418:  pwent = getpwnam(r->connection->user);
>>and
>>464:   if ((grent = getgrnam (groupname)) && grent->gr_mem) {
>
>My copy says "#define VERSION "2.0-1.1" and has only 412 lines. The 
>tarball name claims version 1.1.1, found here:
>
><http://pam.sourceforge.net/mod_auth_pam/>
>
>Where did you pull your copy from?

The same.  I'm referring to the 1.3 version, 1.1.1.  I just pulled down the 
2.0-1.1.1
version and took a look.  It looks quite different.  I do see:

#include <pwd.h>                /* for getpwnam et.al. */
#include <grp.h>                /* for getpwnam et.al. */

but then I don't see any calls to getpwnam or to getgrnam.  Perhaps the 
version for
Apache 2.x fixes this problem?  I'd be willing to give it a try, though I 
may not get
to it for a week or so.

>I do see lines like that in mod_auth_sys_group.c, which is compiled into a 
>separate module.

I think that may be unavoidable due to the lack of a PAM 
configuration/interface
for group lookup.  Well, the call to getgrnam anyway.  Do you see a call to 
getpwnam?
That might cause a problem, but perhaps the best way to check would be to 
try it out.

--Jed http://www.nersc.gov/~jed/ 




More information about the Pam-list mailing list