Chain caching is a feature of Linux-PAM, where pam_authenticate() and
pam_open_session() "freeze" the chain so that their companion
primitive (pam_setcred() and pam_close_session() respectively) will
call the exact same modules, skipping those that failed in the
previous call.
There are several reasons not to do this, the most prominent of which
is that it makes it impossible to call pam_setcred() without first
calling pam_authenticate() - which is perfectly valid according to
DCE/RFC 86.0 and XSSO, and is necessary to make 'login -f' work.
Instead of chain caching, implement something similar to the way
Solaris' libpam behaves: pam_setcred treats "sufficient" modules as if
they were "required", i.e. does not break the chain when they succeed.
PAM modules whose pam_sm_setcred() should not be called unless their
pam_sm_authenticate() succeeded can simply set a state variable using
pam_set_data() in pam_sm_authenticate(), and use pam_get_data() to
check it in pam_sm_setcred().
Sponsored by: DARPA, NAI Labs
: 2002-01-17 Ruslan Ermilov <ru@FreeBSD.org>
:
: * tmac/doc.common: Initialize %I register for the %I macro to
: avoid (harmless) warning.
: * tmac/doc.tmac (Bd): There is no reason to enforce -compact
: when in the SYNOPSIS section.
interaction between the leftright and number options.
PR: bin/23912
Reported by: "Stephen D. Spencer" <gladiatr@boneyard.lawrence.ks.us>
Obtained from: skimo@kotnet.org
: 2001-12-22 Ruslan Ermilov <ru@FreeBSD.org>
:
: * tmac/doc-common, tmac/doc-syms: Small updates.
This adds support for FreeBSD 4.4, FreeBSD 4.5, NetBSD 1.6,
and POSIX.1-2001.
the same way in the cygnus base source. The problem was that bfd was
writing to memory obtained from malloc(0). The next import will update
this if necessary. I'm not sure of the origins of this patch.
Discussed with: obrien
this case 16). Use dynamic FD_SETs and calculated high-water marks
throughout. There are also too many versions of telnet in the tree.
Obtained from: OpenBSD and Apple's Radar database
MFC after: 2 days
problem, it still didn't DTRT for services that did not have a service-
specific policy if /etc/pam.d existed but did not contain an "other"
policy. This fixes the problems some people have experienced with sudo.
And I almost didn't have to use goto.
The current configuration sequence is:
1) Look for /etc/pam.d/foo
2) If PAM_READ_BOTH_CONFS is defined, or step 1) failed, look for
foo in /etc/pam.conf
3) Look for /etc/pam.d/other (to fill in the gaps)
4) If PAM_READ_BOTH_CONFS is defined, or step 3) failed, look for
other in /etc/pam.conf
I believe this is the intended behaviour of the original code. The least
surprising behaviour seems to be when PAM_READ_BOTH_CONFS is not defined -
/etc/pam.d/foo will be preferred over /etc/pam.conf, but the latter will
serve as a backup if the former does not exist.
Sponsored by: DARPA, NAI Labs
