[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PAM support lacks pam_setcred() call

From: Marc Singer
Subject: Re: PAM support lacks pam_setcred() call
Date: Mon, 27 Oct 2003 16:53:15 -0800
User-agent: Mutt/1.5.4i

On Mon, Oct 27, 2003 at 10:59:19PM +0100, Brian Murphy wrote:
> Marc Singer wrote:
> >CVSs PAM support does not make the pam_setcred() call.  The
> >pam_group.so module uses this call to add UNIX groups to the user's
> >
> Do you have an example of how you want to use the pam_group module? A 
> configuration file
> for example and what you expect it to do.



   #auth           required        pam_permit.so
   # pam_group removed as it doesn't work with release build of CVS
   #auth           optional        pam_group.so
   auth            sufficient      pam_winbind.so
   auth            required        pam_unix.so use_first_pass

   #account        required        pam_permit.so
   account         requisite       pam_access.so 
   account         sufficient      pam_winbind.so
   account         required        pam_unix.so 

And then, the /etc/security/group.conf file

  cvs; * ; * ; Al0000-2400 ;cvs

The point of this exercise is that we want to use the MSWindows
password database *and* set the group owner for all files to be cvs.

> >process privileges.  In addition, the pam_setcred() call requires
> >PAM_TTY to be set.
> > 
> >
> What should PAM_TTY be set to? I can't really see that there is a 
> sensible value.

It turns out not to matter.  You could make it /dev/null.

The pam_group module uses the TTY value to determine if the user's tty
is qualified.

The trouble with the system as-is is that we cannot control which the
group ownership of new files.  CVS changes the user and group to match
the credentials it receives from Winbind.  We'd really be much happier
if we could coerce the owner/group of all files to be cvs.cvs.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]