On Thu, Mar 06, 2008 at 11:07:33AM -0800, Gary Winiger wrote: > How does it support pam_setcred()?
Screen lock programs typically do not (and IMO never should) start any session processes -- typically after authentication and authorization they just exit. Screen lock programs should call pam_setcred(3PAM), but not pam_open_session(3PAM), nor pam_close_session(3PAM) unless we extend their semantics to include "unlock" (open) and lock (close), and should not fork(2) any processes nor exec(2) any programs -- they should just exit(2) after calling pam_end(3PAM). Also, I don't see how either PAM setcred modules nor screen lock programs can arrange for any of the effects of pam_setcred() on its caller to be applied to the user session's existing processes nor new ones. That's because a lot of what pam_unix_cred(5) does (for example) affects a session's processes only by inheritance from the process that called pam_setcred(). So I think the question "how does [the screen lock program] support pam_setcred()?" just doesn't make much sense. The answer should be: "it calls pam_setcred(), but doing so has little or no impact on the unlocked session." Nico --
