Re: Shouldn't desktop environments use *term -ls? (Re: The best recommendation [...])

[Sam Hartman <hartmans@debian.org>]

>>>>> "Brian" == Brian May <bam@snoopy.apana.org.au> writes:

    Brian> On Fri, 2002-07-12 at 09:34, Manfred Wassmann wrote:
    >> Either pam_env.so isn't run or it doesn't work.

    Brian> I suspect (but haven't checked) in some window managers
    Brian> that PAM authentication occurs in a separate process (like
    Brian> the new feature in sshd).

    Brian> Hence any changes PAM modules make to the current process
    Brian> will be discarded when the authentication process exits.

    Brian> If this is the case, its not really a bug, more just
    Brian> another limitation in PAM.  -- Brian May

As PAM maintainer, I assert this is a bug ; the PAM mini-policy
document in the next unstable PAM upload will certainly make this more
clear.  Note that I don't actually think that document has
force-of-policy but you should follow it for all the same reasons you
should follow policy: it provides a consistent user experience, it
provides interoperability, it defines interfaces/requirements people
need to follow so things actually work.

There are enough PAM modules that depend on the ability to influence
state that both the open_session and setcred entry point needs to be
called in the same process that will fork the child.  In addition, the
close_session and pam_end entry points need to be called using the
same PAM handle as open_session, pam_start, etc.

If your application design is completely incompatible with this, we'll
have to do the best we can.  However neither sshd (even with privilege
separation) nor display managers fall into this category.


-- 
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org