PAM and arla

Tobias Schaefer T.Schaefer at science-computing.de
Mon Jul 26 16:01:26 CEST 1999 

On 24 Jul 1999, Assar Westerlund wrote:

> Herbert Huber <Herbert.Huber at lrz-muenchen.de> writes:
> > auth     sufficient     /lib/security/pam_linux_afs.so try_first_pass
> > ignore_root setpag
> 
> I believe the `setpag' option here means that the PAM module will call
> setpag?

Yes.

> > Using this configuration, the token is not passed to the user during
> > login. Without the setpag option one  sees that the token is granted to
> > root.
> 
> Assuming that root has a PAG when running this, this is the expected
> behavior.  If root doesn't have a PAG, the user's tokens should get
> indexed by uid instead.

No.

Take a login program as example (login or xdm):

pam_sm_authenticate() runs as root. If root has no PAG (and none is
created at this point) the user's login name and password are used to
get a token for that user. This token is bound to the UID of root. Then
the login program changes to the user's ID. The token is still bound to
root's UID. The user is properly authenticated but has no token bound to
his UID.

If a PAG is created in this function, it is created prior to getting the
token. So the token is bound to the PAG. Login changes to the user's UID.
But the PAG is not affected. The token is still bound to the PAG and the
user has the proper credentials. This is the expected behaviour.

The third case is especially confusing with xdm:

In this case the setpag option is not given in the PAM configuration file 
but a PAG is created by root (e.g. with pagsh). Then xdm is started. The
first user logs in, his token bound to the PAG. He has his proper
credentials and everything seems fine. A second user logs in (from an
X-terminal) and a different token is created and bound to the same PAG.
The credentials of the first user are lost and both users work with the
credentials of the second user. Then a third user logs in...


Tobias
-- 

  Tobias Schaefer				Phone	07071-9457-0
  science + computing gmbh			FAX	07071-9457-27
  Hagellocher Weg 71                          
  D-72070 Tuebingen     Email: T.Schaefer at science-computing.de
        WWW:  http://www.science-computing.de/

More information about the Arla-drinkers mailing list