pam session as root
Darren J Moffat
Darren.Moffat at Sun.COM
Fri Jun 28 02:01:58 EST 2002
Matthew Vernon wrote:
> Michael Stone <mstone at cs.loyola.edu> writes:
>
>
>>Beyond any more general questions of whether pam sessions *should* be
>>run as root, is there an immediate security concern with moving the
>
>
> I believe that the original PAM authors intended pam_session to be run
> as root. Whether this is sensible or not is left as an exercise...
The application calling the PAM API needs to run with sufficient
privelge for all of the configured service modules to do their job.
This does not necesarily mean root, but it does degenerate to root on
most systems that use PAM.
In Solaris that means that all PAM functions must be called as root.
--
Darren J Moffat
More information about the openssh-unix-dev
mailing list