Another round of testing calls.

[Ed Phillips]

On Wed, 24 Oct 2001, Darren Moffat wrote:

> Date: Wed, 24 Oct 2001 17:44:25 -0700 (PDT)
> From: Darren Moffat <Darren.Moffat at eng.sun.com>
> To: openssh-unix-dev at mindrot.org
> Subject: Re: Another round of testing calls.
>
> >How do you enforce PAM limits without opening a session then?
>
> pam_limits should probably be either an pam_acct_mgmt or pam_setid module.

What is pam_setid?  Do you mean pam_setcred?  pam_setcred has always been
a little fuzzy... the pam_setcred from pam_unix.so has changed function
between Sol2.6 and Sol7.  In 2.6, pam_sm_setcred did nothing and
initgroups() was called by login or other apps directly.  In Sol7,
pam_sm_setcred actually called initgroups() and the apps were made
to call pam_setcred with expectations of it calling initgroups().

> pam_limits doesn't exist on Solaris.  Solaris does how ever have pam_projects
> which deals with setting resource control information for project(4).

Caveat: You won't see that man page unless you have installed something
like Sol8 1/01 or newer.  If you have FCS + all Recommended Patches, you
won't see it (even though the features exist).

> It isn't really clear from the man pages what the true purpose of
> pam_open_session is but it can be infered from the Solaris man pages that
> it is really about dealing with files like lastlog/utmpx/wtmpx.

Yeah, that's been my feeling too.  Also, I've seen it described somewhere
that pam_session can be used to do site-specific things that your custom
modules implement, like custom logging, etc.  The stock pam_unix.so is
pretty simple and you're suppoesed to stack a home-brew module with it to
do something "meaningful".

	Ed

Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key