Date: Sat, 14 Jun 2003 16:00:23 -0700 (PDT) From: Dag-Erling Smorgrav <des@ofug.org> To: freebsd-i386@FreeBSD.org Subject: Re: i386/53324: pam_group problems (PAM_RUSER used instead of PAM_USER) Message-ID: <200306142300.h5EN0NDd081853@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR i386/53324; it has been noted by GNATS. From: Dag-Erling Smorgrav <des@ofug.org> To: Kamen@edelweiss.dyns.cx Cc: "Angelov <kamenangelov"@netscape.net, FreeBSD-gnats-submit@FreeBSD.org Subject: Re: i386/53324: pam_group problems (PAM_RUSER used instead of PAM_USER) Date: Sun, 15 Jun 2003 00:59:41 +0200 Kamen Angelov <kamenangelov@netscape.net> writes: > I believe this is a problem with pam_group itself: the module reads > the PAM_RUSER field instead of PAM_USER when trying to fetch the > username of the user. I believe PAM_USER would be the correct field > to read in this context. No. PAM_RUSER is the applicant, PAM_USER is the user you're trying to log in as. The purpose of pam_group(8) is to check that the applicant is in the correct group. The correct solution to your problem would be to make pam_group(8) understand the auth_as_self flag, not to blindly change PAM_RUSER to PAM_USER. > When PAM_RUSER is replaced with PAM_USER all warnings disappear and > everything seem to work as expected. Except for su(1), which is what pam_group(8) is intended for. DES -- Dag-Erling Smorgrav - des@ofug.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200306142300.h5EN0NDd081853>