New PAM code landing (at last)

[Frank Cusack]

On Sun, May 11, 2003 at 10:47:26AM +0100, James Williamson wrote:
> > On Sun, May 11, 2003 at 08:29:28AM +0100, James Williamson wrote:
> > > I've scanned the code and the PAM stuff is actually broken despite the
> > > privileges.
> > > The credentials stage is actually called after the session stage which
> runs
> > > contra
> > > to what the linux pam docs specify (i.e. it should be done before).
> >
> > What is the credentials stage?  pam_setcred()?
> >
> > Both the the Sun docs (Solaris 9_u2):
> >
> >      The pam_setcred() function is used to establish, modify,  or
> >      delete  user  credentials.  It is typically called after the
> >      user has been authenticated and after  a  session  has  been
> >      opened.
> >
> > and the Linux-PAM docs (Linux-PAM-0.72):
> >
> >   This function is used to set the module-specific credentials of the
> >   user.  It is usually called after the user has been authenticated,
> >   after the account management function has been called and after a
> >   session has been opened for the user.
> >
> > say that you call this after pam_open_session().
> 
> Well I'm looking here:
> 
> http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl-3.html
> 
> extern int pam_setcred(pam_handle_t *pamh, int flags);
> 
> "This function is used to set the module-specific credentials of the user.
> It is usually called after the user has been authenticated, after the
> account management function has been called but before a session
> has been opened for the user. "

Well, they seem to have changed their mind between 0.72 and whatever is
current.  I would lend more credence to the Sun docs.

Also, login.c from util-linux-2.11y (the latest I could find) does it
in the Sun-documented order.

/fc