Another round of testing calls.

Darren Moffat Darren.Moffat at eng.sun.com
Fri Oct 26 02:59:50 EST 2001


>What is pam_setid?  Do you mean pam_setcred?  pam_setcred has always been

yes I meant setcred.

>a little fuzzy... the pam_setcred from pam_unix.so has changed function
>between Sol2.6 and Sol7.  In 2.6, pam_sm_setcred did nothing and
>initgroups() was called by login or other apps directly.  In Sol7,
>pam_sm_setcred actually called initgroups() and the apps were made
>to call pam_setcred with expectations of it calling initgroups().

That is not correct.  The code for pam_sm_setcred in pam_unix hasn't
actually changed between 2.6 and the current builds of the next release
of Solaris.   Well that isn't quite true there were a few minor changes
but that was fixing a broken cast to remove a compiler warning and
chaning the wording of one of the messages that prints it out.
I've just checked the code (and BTW this is one of my areas of Solaris
responsibility).

The last time that initgroups didn't happen in the application but
happened in the module was 2.5.1 - when PAM was in prerelease state and
not configurable or public.

Having said all of that what you were suggesting had happened is actually
the correct way to go, initgroups probably should be called from the 
pam_unix pam_setcred and not the application since your supplementary groups
are your unix creds.  However we don't currently do that - if Solaris ever
does get to that stage then OpenSSH should be updated to not do the
initgroups calls if being built to run on that release of Solaris.

--
Darren J Moffat




More information about the openssh-unix-dev mailing list