[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PAM support lacks pam_setcred() call
From: |
Marc Singer |
Subject: |
Re: PAM support lacks pam_setcred() call |
Date: |
Mon, 27 Oct 2003 16:53:15 -0800 |
User-agent: |
Mutt/1.5.4i |
On Mon, Oct 27, 2003 at 10:59:19PM +0100, Brian Murphy wrote:
> Marc Singer wrote:
>
> >CVSs PAM support does not make the pam_setcred() call. The
> >pam_group.so module uses this call to add UNIX groups to the user's
> >
> Do you have an example of how you want to use the pam_group module? A
> configuration file
> for example and what you expect it to do.
Certainly.
#%PAM-1.0
#auth required pam_permit.so
# pam_group removed as it doesn't work with release build of CVS
#auth optional pam_group.so
auth sufficient pam_winbind.so
auth required pam_unix.so use_first_pass
#account required pam_permit.so
account requisite pam_access.so
accessfile=/etc/security/access-cvs.conf
account sufficient pam_winbind.so
account required pam_unix.so
And then, the /etc/security/group.conf file
cvs; * ; * ; Al0000-2400 ;cvs
The point of this exercise is that we want to use the MSWindows
password database *and* set the group owner for all files to be cvs.
> >process privileges. In addition, the pam_setcred() call requires
> >PAM_TTY to be set.
> >
> >
> What should PAM_TTY be set to? I can't really see that there is a
> sensible value.
It turns out not to matter. You could make it /dev/null.
The pam_group module uses the TTY value to determine if the user's tty
is qualified.
The trouble with the system as-is is that we cannot control which the
group ownership of new files. CVS changes the user and group to match
the credentials it receives from Winbind. We'd really be much happier
if we could coerce the owner/group of all files to be cvs.cvs.
Cheers.
- Re: PAM support lacks pam_setcred() call, (continued)
- Re: PAM support lacks pam_setcred() call, Steve McIntyre, 2003/10/21
- Re: PAM support lacks pam_setcred() call, Steve McIntyre, 2003/10/21
- Re: PAM support lacks pam_setcred() call, Derek Robert Price, 2003/10/21
- Re: PAM support lacks pam_setcred() call, Steve McIntyre, 2003/10/22
- Re: PAM support lacks pam_setcred() call, Derek Robert Price, 2003/10/22
Re: PAM support lacks pam_setcred() call, Brian Murphy, 2003/10/27
Re: PAM support lacks pam_setcred() call,
Marc Singer <=