On Sat, 14 Jul 2007, Garrett Wollman wrote:
<<On Sat, 14 Jul 2007 16:45:14 +0100 (BST), Robert Watson
<[EMAIL PROTECTED]> said:
This is correct -- login services must be modified to properly set up user
audit state at login. I am not familiar with work relating to this with
xdm, kdm, gdm, etc, but it would be very good to see this happen.
Surely this is something that belongs in a PAM module...? The whole point
of the PAM framework is that you should *not* have to modify every program
that does a login when new mechanisms are introduced or policy changes.
Setting login state is not the only thing that audit does. Audit requirements
also exist to audit failures in the login process that may be entirely
unrelated to authentication.
That said, I'm not 100% sure that the audit state, leaving aside the auditing
of login events, couldn't be done in a PAM module. An interesting question is
why the rest of the UNIX credential is also not set up using PAM -- see calls
to setlogin(2), setusercontext(3), etc, in login.c and other things involved
in login.
Robert N M Watson
Computer Laboratory
University of Cambridge
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
