Re: pam and kerberos + xlock on Debian
On Fri, Nov 16, 2001 at 12:04:54PM -0500, Sam Hartman wrote:
> >>>>> "Martin" == Martin Povolny <xpovolny@aurora.fi.muni.cz> writes:
>
>
> Martin> Ok, so for now there's probably only the quick, dirty and
> Martin> bad solution:
>
> Is that really a bad solution? xlock is designed to be able to be
> setuid. It's not ideal, but I wouldn't call it bad.
>
> You could also make /etc/krb5.keytab readable by a group that xlock
> was setgid to.
xlock seems to drop setgid status before calling PAM, if I've read the
code correctly. I don't particularly like this behaviour; would there
be a reason not to reinstate any set[ug]id status before calling PAM?
Julian
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Julian Gilbey, Dept of Maths, Debian GNU/Linux Developer
Queen Mary, Univ. of London see http://people.debian.org/~jdg/
http://www.maths.qmul.ac.uk/~jdg/ or http://www.debian.org/
Visit http://www.thehungersite.com/ to help feed the hungry
Also: http://www.helpthehungry.org/
Reply to: