On Friday, September 14, 2007 04:46:01 PM -0500 Jason King <jason at ansipunx.net> wrote:
> On 9/14/07, Jeffrey Hutzelman <jhutz at cmu.edu> wrote: >> >> >> On Wednesday, September 12, 2007 07:53:06 PM -0500 Nicolas Williams >> <Nicolas.Williams at sun.com> wrote: >> >> >> Short implementation question - which of the following concepts is >> >> better: >> >> 1. Simple solution: Start a shell script each time a |pam_sm_*()| >> >> function is called, run it until it finishes and collect the results >> >> >> >> or >> >> >> >> 2. Create a shell instance for each created |pam_handle_t| and run the >> >> script, the script defines a set of shell functions, one per >> >> | pam_sm_*()| callback and when such a callback is called it launches >> >> | the >> >> matching shell function. The shell instance is destroyed when the >> >> matching |pam_handle_t| is disposed. >> >> >> >> Erm, the 2nd solution is a little bit more compliciated to implement >> >> but would be more flexible since the shell and all it's global >> >> variables would live as long the matching |pam_handle_t| exists. >> > >> > (2), so the module can keep state. I still think Perl5 is better >> > because there is so much functionality in CPAN that could be used for >> > all sorts of PAM modules. >> >> Yes, (2) would be better if you could do it. But you can't, without >> modifying the framework. PAM modules don't get control when a handle is >> created, only when one of the six main interfaces is called, or when a >> PAM_DATA item is destroyed. I suppose you could create the shell >> instance the first time one of the main operations is called, and store >> a reference to it in a data item. But I don't believe there's any >> guarantee that the framework doesn't unload modules, and in any case >> you'd have to figure out a way to name the data item that doesn't >> preclude admins from using this module more than once with different >> scripts. >> _______________________________________________ >> security-discuss mailing list >> security-discuss at opensolaris.org >> > > Perhaps I'm missing something but why not in pam_sm_*: Yes, you could do that; that's what I was describing after "I suppose you could...". But that's not quite the same as doing it when the handle is created. Also, you don't want to use a constant name as shown in your example, because that precludes a pam stack which uses this module twice with different scripts. -- Jeff
