i386/53324: pam_group problems (PAM_RUSER used instead of
PAM_USER)
Dag-Erling Smorgrav
des at ofug.org
Sat Jun 14 16:00:25 PDT 2003
The following reply was made to PR i386/53324; it has been noted by GNATS.
From: Dag-Erling Smorgrav <des at ofug.org>
To: Kamen at edelweiss.dyns.cx
Cc: "Angelov <kamenangelov"@netscape.net,
FreeBSD-gnats-submit at FreeBSD.org
Subject: Re: i386/53324: pam_group problems (PAM_RUSER used instead of
PAM_USER)
Date: Sun, 15 Jun 2003 00:59:41 +0200
Kamen Angelov <kamenangelov at netscape.net> writes:
> I believe this is a problem with pam_group itself: the module reads
> the PAM_RUSER field instead of PAM_USER when trying to fetch the
> username of the user. I believe PAM_USER would be the correct field
> to read in this context.
No. PAM_RUSER is the applicant, PAM_USER is the user you're trying to
log in as. The purpose of pam_group(8) is to check that the applicant
is in the correct group.
The correct solution to your problem would be to make pam_group(8)
understand the auth_as_self flag, not to blindly change PAM_RUSER to
PAM_USER.
> When PAM_RUSER is replaced with PAM_USER all warnings disappear and
> everything seem to work as expected.
Except for su(1), which is what pam_group(8) is intended for.
DES
--
Dag-Erling Smorgrav - des at ofug.org
More information about the freebsd-i386
mailing list