From owner-freebsd-security@FreeBSD.ORG  Sat Jul 14 18:28:56 2007
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id EC06E16A403;
	Sat, 14 Jul 2007 18:28:56 +0000 (UTC)
	(envelope-from wollman@hergotha.csail.mit.edu)
Received: from hergotha.csail.mit.edu (hergotha.csail.mit.edu [66.92.79.170])
	by mx1.freebsd.org (Postfix) with ESMTP id 9EB7113C48D;
	Sat, 14 Jul 2007 18:28:56 +0000 (UTC)
	(envelope-from wollman@hergotha.csail.mit.edu)
Received: from hergotha.csail.mit.edu (localhost [127.0.0.1])
	by hergotha.csail.mit.edu (8.13.8/8.13.8) with ESMTP id l6EHrQjn038411; 
	Sat, 14 Jul 2007 13:53:26 -0400 (EDT)
	(envelope-from wollman@hergotha.csail.mit.edu)
Received: (from wollman@localhost)
	by hergotha.csail.mit.edu (8.13.8/8.13.8/Submit) id l6EHrQOQ038408;
	Sat, 14 Jul 2007 13:53:26 -0400 (EDT) (envelope-from wollman)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <18073.3478.284631.986914@hergotha.csail.mit.edu>
Date: Sat, 14 Jul 2007 13:53:26 -0400
From: Garrett Wollman <wollman@bimajority.org>
To: Robert Watson <rwatson@freebsd.org>
In-Reply-To: <20070714164146.Q80803@fledge.watson.org>
References: <46985815.3060308@os2.kiev.ua>
	<20070714164146.Q80803@fledge.watson.org>
X-Mailer: VM 7.17 under 21.4 (patch 20) "Double Solitaire" XEmacs Lucid
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0
	(hergotha.csail.mit.edu [127.0.0.1]);
	Sat, 14 Jul 2007 13:53:26 -0400 (EDT)
X-Spam-Status: No, score=-0.0 required=5.0 tests=SPF_HELO_PASS,SPF_PASS
	autolearn=disabled version=3.1.8
X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on
	hergotha.csail.mit.edu
X-Mailman-Approved-At: Sat, 14 Jul 2007 19:03:45 +0000
Cc: freebsd-security@freebsd.org
Subject: Re: OpenBSM questions
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Jul 2007 18:28:57 -0000

<<On Sat, 14 Jul 2007 16:45:14 +0100 (BST), Robert Watson <rwatson@freebsd.org> said:

> This is correct -- login services must be modified to properly set up user 
> audit state at login.  I am not familiar with work relating to this with xdm, 
> kdm, gdm, etc, but it would be very good to see this happen.

Surely this is something that belongs in a PAM module...?  The whole
point of the PAM framework is that you should *not* have to modify
every program that does a login when new mechanisms are introduced or
policy changes.

-GAWollman