[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Shouldn't desktop environments use *term -ls? (Re: The best recommendation [...])

>>>>> "Brian" == Brian May <bam@snoopy.apana.org.au> writes:

    Brian> On Fri, 2002-07-12 at 09:34, Manfred Wassmann wrote:
    >> Either pam_env.so isn't run or it doesn't work.

    Brian> I suspect (but haven't checked) in some window managers
    Brian> that PAM authentication occurs in a separate process (like
    Brian> the new feature in sshd).

    Brian> Hence any changes PAM modules make to the current process
    Brian> will be discarded when the authentication process exits.

    Brian> If this is the case, its not really a bug, more just
    Brian> another limitation in PAM.  -- Brian May

As PAM maintainer, I assert this is a bug ; the PAM mini-policy
document in the next unstable PAM upload will certainly make this more
clear.  Note that I don't actually think that document has
force-of-policy but you should follow it for all the same reasons you
should follow policy: it provides a consistent user experience, it
provides interoperability, it defines interfaces/requirements people
need to follow so things actually work.

There are enough PAM modules that depend on the ability to influence
state that both the open_session and setcred entry point needs to be
called in the same process that will fork the child.  In addition, the
close_session and pam_end entry points need to be called using the
same PAM handle as open_session, pam_start, etc.

If your application design is completely incompatible with this, we'll
have to do the best we can.  However neither sshd (even with privilege
separation) nor display managers fall into this category.

To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: