From owner-freebsd-security Fri Jan 19 10:33: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from jenkins.web.us.uu.net (jenkins.web.us.uu.net [208.240.88.32]) by hub.freebsd.org (Postfix) with ESMTP id 9DFC737B401 for ; Fri, 19 Jan 2001 10:32:51 -0800 (PST) Received: from jenkins.web.us.uu.net (localhost.web.us.uu.net [127.0.0.1]) by jenkins.web.us.uu.net (Postfix) with ESMTP id 9CBC612685; Fri, 19 Jan 2001 13:32:50 -0500 (EST) To: freebsd-security@FreeBSD.ORG Cc: djm@web.us.uu.net Subject: pam_setcred confusion Date: Fri, 19 Jan 2001 13:32:50 -0500 From: "David J. MacKenzie" Message-Id: <20010119183250.9CBC612685@jenkins.web.us.uu.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org A note about my PAM patches: the FreeBSD man page for pam_setcred says: This function is used to establish, maintain and delete the credentials of a user. It should be called after a user has been authenticated and before a session is opened ^^^^^^ for the user (with pam_open_session(3)). The Solaris 8 man page for pam_setcred says: The pam_setcred() function is used to establish, modify, or delete user credentials. It is typically called after the user has been authenticated and after a session has been ^^^^^ opened. See pam_authenticate(3PAM), pam_acct_mgmt(3PAM), and pam_open_session(3PAM). Notice that they disagree on the order of the PAM calls. When I wrote my patches I was referencing the Solaris documentation. Perhaps the order doesn't matter, in practice. If it does, then the order of pam_open_session() and pam_setcred() calls may need to be reversed. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message