[1020] in arla-drinkers
Re: PAM and arla
daemon@ATHENA.MIT.EDU (Tobias Schaefer)
Mon Jul 26 10:06:06 1999
From owner-arla-drinkers@stacken.kth.se Mon Jul 26 14:06:05 1999
Return-Path: <owner-arla-drinkers@stacken.kth.se>
Delivered-To: arla-drinkers-mtg@bloom-picayune.mit.edu
Received: (qmail 17934 invoked from network); 26 Jul 1999 14:06:04 -0000
Received: from unknown (HELO sundance.stacken.kth.se) (130.237.234.41)
by bloom-picayune.mit.edu with SMTP; 26 Jul 1999 14:06:04 -0000
Received: (from majordom@localhost)
by sundance.stacken.kth.se (8.8.8/8.8.8) id QAA02660
for arla-drinkers-list; Mon, 26 Jul 1999 16:01:26 +0200 (MET DST)
Received: from orion.science-computing.de (root@orion.science-computing.de [193.197.16.2])
by sundance.stacken.kth.se (8.8.8/8.8.8) with ESMTP id QAA02655;
Mon, 26 Jul 1999 16:01:20 +0200 (MET DST)
Received: from pollux.science-computing.de (pollux.science-computing.de [193.197.16.39])
by orion.science-computing.de (8.8.8/8.8.8) with SMTP id PAA19479;
Mon, 26 Jul 1999 15:56:21 +0200
Received: from localhost by pollux.science-computing.de (SMI-8.6/SMI-SVR4)
id QAA22870; Mon, 26 Jul 1999 16:01:03 +0200
Date: Mon, 26 Jul 1999 16:01:03 +0200 (MET DST)
From: Tobias Schaefer <T.Schaefer@science-computing.de>
To: Assar Westerlund <assar@stacken.kth.se>
cc: Herbert Huber <Herbert.Huber@lrz-muenchen.de>,
arla-drinkers@stacken.kth.se
Subject: Re: PAM and arla
In-Reply-To: <5lso6e8ybw.fsf@assaris.sics.se>
Message-ID: <Pine.SOL.4.02.9907261532260.22647-100000@pollux.science-computing.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-arla-drinkers@stacken.kth.se
Precedence: bulk
On 24 Jul 1999, Assar Westerlund wrote:
> Herbert Huber <Herbert.Huber@lrz-muenchen.de> writes:
> > auth sufficient /lib/security/pam_linux_afs.so try_first_pass
> > ignore_root setpag
>
> I believe the `setpag' option here means that the PAM module will call
> setpag?
Yes.
> > Using this configuration, the token is not passed to the user during
> > login. Without the setpag option one sees that the token is granted to
> > root.
>
> Assuming that root has a PAG when running this, this is the expected
> behavior. If root doesn't have a PAG, the user's tokens should get
> indexed by uid instead.
No.
Take a login program as example (login or xdm):
pam_sm_authenticate() runs as root. If root has no PAG (and none is
created at this point) the user's login name and password are used to
get a token for that user. This token is bound to the UID of root. Then
the login program changes to the user's ID. The token is still bound to
root's UID. The user is properly authenticated but has no token bound to
his UID.
If a PAG is created in this function, it is created prior to getting the
token. So the token is bound to the PAG. Login changes to the user's UID.
But the PAG is not affected. The token is still bound to the PAG and the
user has the proper credentials. This is the expected behaviour.
The third case is especially confusing with xdm:
In this case the setpag option is not given in the PAM configuration file
but a PAG is created by root (e.g. with pagsh). Then xdm is started. The
first user logs in, his token bound to the PAG. He has his proper
credentials and everything seems fine. A second user logs in (from an
X-terminal) and a different token is created and bound to the same PAG.
The credentials of the first user are lost and both users work with the
credentials of the second user. Then a third user logs in...
Tobias
--
Tobias Schaefer Phone 07071-9457-0
science + computing gmbh FAX 07071-9457-27
Hagellocher Weg 71
D-72070 Tuebingen Email: T.Schaefer@science-computing.de
WWW: http://www.science-computing.de/