From owner-freebsd-security Fri Jan 19 12:15:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 5079937B400 for ; Fri, 19 Jan 2001 12:14:55 -0800 (PST) Received: from hamlet.nectar.com (hamlet.nectar.com [10.0.1.102]) by gw.nectar.com (Postfix) with ESMTP id 9596A193E3; Fri, 19 Jan 2001 14:14:53 -0600 (CST) Received: (from nectar@localhost) by hamlet.nectar.com (8.11.1/8.9.3) id f0JKErq67083; Fri, 19 Jan 2001 14:14:53 -0600 (CST) (envelope-from nectar@spawn.nectar.com) Date: Fri, 19 Jan 2001 14:14:53 -0600 From: "Jacques A. Vidrine" To: "David J. MacKenzie" Cc: freebsd-security@FreeBSD.ORG Subject: Re: pam_setcred confusion Message-ID: <20010119141453.D66917@hamlet.nectar.com> Mail-Followup-To: "Jacques A. Vidrine" , "David J. MacKenzie" , freebsd-security@FreeBSD.ORG References: <20010119183250.9CBC612685@jenkins.web.us.uu.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010119183250.9CBC612685@jenkins.web.us.uu.net>; from djm@web.us.uu.net on Fri, Jan 19, 2001 at 01:32:50PM -0500 X-Url: http://www.nectar.com/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Jan 19, 2001 at 01:32:50PM -0500, David J. MacKenzie wrote: > A note about my PAM patches: the FreeBSD man page for pam_setcred says: > > This function is used to establish, maintain and delete > the credentials of a user. It should be called after a > user has been authenticated and before a session is opened > ^^^^^^ > for the user (with pam_open_session(3)). > > The Solaris 8 man page for pam_setcred says: > > The pam_setcred() function is used to establish, modify, or > delete user credentials. It is typically called after the > user has been authenticated and after a session has been > ^^^^^ > opened. See pam_authenticate(3PAM), pam_acct_mgmt(3PAM), > and pam_open_session(3PAM). > > Notice that they disagree on the order of the PAM calls. > When I wrote my patches I was referencing the Solaris documentation. > Perhaps the order doesn't matter, in practice. > If it does, then the order of pam_open_session() and pam_setcred() > calls may need to be reversed. The FreeBSD PAM is based on Linux-PAM. If you do ultimately find out that this is a problem, please drop the Linux-PAM authors a line, also. Also see my post to this list earlier this week about the fact that pam_setcred does not seem to work (at least in the Linux-PAM -- and therefore FreeBSD -- implementation). -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message