From owner-freebsd-doc@FreeBSD.ORG Fri Aug 15 18:28:41 2008 Return-Path: Delivered-To: freebsd-doc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 715191065670 for ; Fri, 15 Aug 2008 18:28:41 +0000 (UTC) (envelope-from vmutu@pcbi.upenn.edu) Received: from snowball.pcbi.upenn.edu (SNOWBALL.pcbi.UPENN.EDU [128.91.62.2]) by mx1.freebsd.org (Postfix) with ESMTP id E6F978FC12 for ; Fri, 15 Aug 2008 18:28:40 +0000 (UTC) (envelope-from vmutu@pcbi.upenn.edu) Received: from bsdera.pcbi.upenn.edu (bsdera.pcbi.upenn.edu [165.123.89.250]) by snowball.pcbi.upenn.edu (8.12.11.20060308/8.12.11) with ESMTP id m7FI0jig030498 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 15 Aug 2008 14:00:45 -0400 Received: from bsdera.pcbi.upenn.edu (localhost [127.0.0.1]) by bsdera.pcbi.upenn.edu (8.14.2/8.14.2) with ESMTP id m7FI0i4G002902; Fri, 15 Aug 2008 14:00:44 -0400 (EDT) (envelope-from vlr@bsdera.pcbi.upenn.edu) Received: (from vlr@localhost) by bsdera.pcbi.upenn.edu (8.14.2/8.14.2/Submit) id m7FI0iJM002901; Fri, 15 Aug 2008 14:00:44 -0400 (EDT) (envelope-from vlr) Date: Fri, 15 Aug 2008 14:00:44 -0400 From: Valeriu Mutu To: freebsd-doc@freebsd.org Message-ID: <20080815180044.GF1327@bsdera.pcbi.upenn.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Organization: Penn Center for Bioinformatics User-Agent: Mutt/1.5.18 (2008-05-17) Cc: Subject: Improving pam.conf(5) manual page X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Aug 2008 18:28:41 -0000 Hi, After experimenting with PAM lately I found the manual page pam.conf(5) somewhat confusing regarding the definition of the "sufficient" control flag: sufficient = If this module succeeds, the chain is broken and the result is success. If it fails, the rest of the chain still runs, but the final result will be failure unless a later module succeeds. Nevertheless the chain isn't broken when there are modules with a "required" flag. Here is an example: auth sufficient pam_unix.so debug no_warn try_first_pass auth required pam_deny.so debug Hence, pam_deny will be invoked even if pam_unix succeeds. If the above is changed to: auth sufficient pam_unix.so debug no_warn try_first_pass auth sufficient pam_deny.so debug then pam_deny isn't invoked as it has the "sufficient" flag now. I checked the manual page for pam.conf(5) in FreeBSD 8-current and it contains the same definition of "sufficient" as shown above. I checked it here: http://www.freebsd.org/cgi/man.cgi?query=pam.conf&apropos=0&sektion=0&manpath=FreeBSD+8-current&format=html Hence, it would be helpful if the definition be changed to: sufficient = If this module succeeds and the following modules are sufficient, the chain is broken and the result is success. If it fails, the rest of the chain still runs, but the final result will be failure unless a later module succeeds. Valeriu -- Valeriu Mutu Penn Center for Bioinformatics 215-573-8119