pam_setcred() without pam_authenticate()?

[Nicolas Williams]

On Wed, Jun 04, 2003 at 02:38:27PM -0700, Frank Cusack wrote:
> Should pam_setcred() be called if pam_authenticate() wasn't called?
> I would say not; both of these functions are in the authenticate
> part of pam.

Pam_setcred() should be called if the user is authenticated and
authorized, even if authentication did not use pam_authenticate().

> It seems the the 'auth' part of pam config controls which modules get
> called, so if you didn't to _authenticate() you shouldn't do _setcred().

Just because the setcred stack shares the definition of the auth stack
doesn't mean that setcrfed depends on auth.

Nico
--