Subject: Re: integrating PAM
To: Dan Melomedman <dan%dan.dan@devonit.com>
From: Bill Studenmund <wrstuden@netbsd.org>
List: current-users
Date: 01/24/2003 13:45:26
On Fri, 24 Jan 2003, Dan Melomedman wrote:

> Bill Studenmund wrote:
> > If instead they are things the calling programs could receive, then we
> > have a new API..
>
> Also note in checkpassword it's not just an authenticator, and a calling
> process. It's three programs for simplicity and modularity sake.
>
> 1) The program responsible for receiving credentials, which exec()s
> the authenticator  after writing this and additional data into pipe.
>
> 2) The authenticator program, which verifies credentials after reading
> them from the pipe, and exec()s the final process (dropping the root
> privelege, change to the working directory, etc before the exec).
>
> 3) There's nothing preventing the authenticator from giving the kernel
> some data before exec. Of course the standard method of passing data
> from the authenticator to the final process is through env[]. This
> however doesn't prevent you to pass data any other way, like a pipe, or
> set some tokens before exec for your Kerberos or AFS in the kernelin my
> understanding.

It's not set some tokens before exec, it's set some tokens in the original
process. It's already running, so do-before-exec actions won't help.

Take care,

Bill