Re: Shouldn't desktop environments use *term -ls? (Re: The best recommendation [...])
>>>>> "Brian" == Brian May <bam@snoopy.apana.org.au> writes:
Brian> On Fri, 2002-07-12 at 09:34, Manfred Wassmann wrote:
>> Either pam_env.so isn't run or it doesn't work.
Brian> I suspect (but haven't checked) in some window managers
Brian> that PAM authentication occurs in a separate process (like
Brian> the new feature in sshd).
Brian> Hence any changes PAM modules make to the current process
Brian> will be discarded when the authentication process exits.
Brian> If this is the case, its not really a bug, more just
Brian> another limitation in PAM. -- Brian May
As PAM maintainer, I assert this is a bug ; the PAM mini-policy
document in the next unstable PAM upload will certainly make this more
clear. Note that I don't actually think that document has
force-of-policy but you should follow it for all the same reasons you
should follow policy: it provides a consistent user experience, it
provides interoperability, it defines interfaces/requirements people
need to follow so things actually work.
There are enough PAM modules that depend on the ability to influence
state that both the open_session and setcred entry point needs to be
called in the same process that will fork the child. In addition, the
close_session and pam_end entry points need to be called using the
same PAM handle as open_session, pam_start, etc.
If your application design is completely incompatible with this, we'll
have to do the best we can. However neither sshd (even with privilege
separation) nor display managers fall into this category.
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: