Subject: Re: integrating PAM
To: Dan Melomedman <firstname.lastname@example.org>
From: Bill Studenmund <email@example.com>
Date: 01/24/2003 13:45:26
On Fri, 24 Jan 2003, Dan Melomedman wrote:
> Bill Studenmund wrote:
> > If instead they are things the calling programs could receive, then we
> > have a new API..
> Also note in checkpassword it's not just an authenticator, and a calling
> process. It's three programs for simplicity and modularity sake.
> 1) The program responsible for receiving credentials, which exec()s
> the authenticator after writing this and additional data into pipe.
> 2) The authenticator program, which verifies credentials after reading
> them from the pipe, and exec()s the final process (dropping the root
> privelege, change to the working directory, etc before the exec).
> 3) There's nothing preventing the authenticator from giving the kernel
> some data before exec. Of course the standard method of passing data
> from the authenticator to the final process is through env. This
> however doesn't prevent you to pass data any other way, like a pipe, or
> set some tokens before exec for your Kerberos or AFS in the kernelin my
It's not set some tokens before exec, it's set some tokens in the original
process. It's already running, so do-before-exec actions won't help.