From owner-freebsd-security  Fri Jan 19 12:15:13 2001
Delivered-To: freebsd-security@freebsd.org
Received: from gw.nectar.com (gw.nectar.com [208.42.49.153])
	by hub.freebsd.org (Postfix) with ESMTP id 5079937B400
	for <freebsd-security@FreeBSD.ORG>; Fri, 19 Jan 2001 12:14:55 -0800 (PST)
Received: from hamlet.nectar.com (hamlet.nectar.com [10.0.1.102])
	by gw.nectar.com (Postfix) with ESMTP
	id 9596A193E3; Fri, 19 Jan 2001 14:14:53 -0600 (CST)
Received: (from nectar@localhost)
	by hamlet.nectar.com (8.11.1/8.9.3) id f0JKErq67083;
	Fri, 19 Jan 2001 14:14:53 -0600 (CST)
	(envelope-from nectar@spawn.nectar.com)
Date: Fri, 19 Jan 2001 14:14:53 -0600
From: "Jacques A. Vidrine" <n@nectar.com>
To: "David J. MacKenzie" <djm@web.us.uu.net>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: pam_setcred confusion
Message-ID: <20010119141453.D66917@hamlet.nectar.com>
Mail-Followup-To: "Jacques A. Vidrine" <n@nectar.com>,
	"David J. MacKenzie" <djm@web.us.uu.net>,
	freebsd-security@FreeBSD.ORG
References: <20010119183250.9CBC612685@jenkins.web.us.uu.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010119183250.9CBC612685@jenkins.web.us.uu.net>; from djm@web.us.uu.net on Fri, Jan 19, 2001 at 01:32:50PM -0500
X-Url: http://www.nectar.com/
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, Jan 19, 2001 at 01:32:50PM -0500, David J. MacKenzie wrote:
> A note about my PAM patches: the FreeBSD man page for pam_setcred says:
> 
>        This  function  is  used to establish, maintain and delete
>        the credentials of a user. It should  be  called  after  a
>        user has been authenticated and before a session is opened
>                                        ^^^^^^
>        for the user (with pam_open_session(3)).                                                                                                                                                                                 
> 
> The Solaris 8 man page for pam_setcred says:
> 
>      The pam_setcred() function is used to establish, modify,  or
>      delete  user  credentials.  It is typically called after the
>      user has been authenticated and after  a  session  has  been
>                                      ^^^^^
>      opened.   See  pam_authenticate(3PAM),  pam_acct_mgmt(3PAM),
>      and pam_open_session(3PAM).
> 
> Notice that they disagree on the order of the PAM calls.
> When I wrote my patches I was referencing the Solaris documentation.
> Perhaps the order doesn't matter, in practice.
> If it does, then the order of pam_open_session() and pam_setcred()
> calls may need to be reversed.

The FreeBSD PAM is based on Linux-PAM.  If you do ultimately find out
that this is a problem, please drop the Linux-PAM authors a line,
also.


Also see my post to this list earlier this week about the fact that
pam_setcred does not seem to work (at least in the Linux-PAM -- and
therefore FreeBSD -- implementation).

-- 
Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message