Date: Sun, 20 May 2007 22:33:38 -0400 From: "Zane C.B." <v.velox@vvelox.net> To: Dan Lukes <dan@obluda.cz> Cc: freebsd-hackers@freebsd.org Subject: Re: PAM exec patch to allow PAM_AUTHTOK to be exported. Message-ID: <20070520223338.49409574@vixen42> In-Reply-To: <4650F93A.3080603@obluda.cz> References: <20070519130533.722e8b57@vixen42> <86bqgfh4w0.fsf@dwp.des.no> <20070520120142.39e86eae@vixen42> <86tzu7ifp2.fsf@dwp.des.no> <20070520132410.58989605@vixen42> <4650939B.6020004@obluda.cz> <20070520200310.4a79954e@vixen42> <4650F93A.3080603@obluda.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 21 May 2007 03:43:22 +0200 Dan Lukes <dan@obluda.cz> wrote: > Zane C.B. napsal/wrote, On 05/21/07 02:03: > >> 3. want's to be PAM aware, but it's programmer is too lazy to > >> write it the clean way (as regular pam module) - we need the > >> patch > >> > >> The patch shall be rejected because the only purpose of > >> it is to support lazy programmers creating hacks instead of > >> solutions. > > > > Actually it does not support lazy programming, but makes life of a > > makes life of a administrator easier. > > The contrib/smbfs/mount_smbfs/mount_smbfs.c is very short > and simple. Writing PAM module with same functionality require > almost the same amount of time as patching it. In advance, you need > catch not only pam_sm_session_open but pam_sm_session_close (i > assume you plan to umount resource also). Unfortunately (unless I > miss something) pam_exec has no way to pass about 'direction' to > called program. You can't use simple heuristic "when not mounted > mount it and vice versa" also because the same user can have more > than one simultaneous active session. True. That would be another issue. Regardless, it is going to need a daemon to run in the background or something. I don't think using PAM to figure out if it should be unmounted is a good idea, unless you kill all processes owned by that user upon session close. IMO it would be best to check if there are any processes running owned by that user before unmounting it and if there are, leave it for the cleanup daemon. > The logic you need to implement seems to require much more > coding than simple patch on either pam_exec nor mount_smbfs ... > > pam_exec in chain more hurts than helps. IMHO, of course. > > But further discussion about it seems not to be security > related, so we should not continue here. Yup. Moving to hackers. :)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070520223338.49409574>