Nicolas Williams schrieb: > So I think the question "how does [the screen lock program] support > pam_setcred()?" just doesn't make much sense. The answer should be: "it > calls pam_setcred(), but doing so has little or no impact on the > unlocked session." >
The process manipulations done by Solaris pam_unix_cred aren't the only way an authentication module can setup credentials for a session. One obvious use is creating or updating on-disk (or in-(daemon-)memory) credentials caches. The presence of the PAM_REFRESH_CRED flag very much indicates that this is an intended use. If initial credential establishment (PAM_ESTABLISH_CRED) often uses process environment to pass credentials down to a session, then screen lock programs (or their privileged helpers) need to run in the session environment in order to find the credentials to refresh. - J?rg -- Joerg Barfurth phone: +49 40 23646662 / x66662 Software Engineer mailto:joerg.barfurth at sun.com Desktop Technology http://reserv.ireland/twiki/bin/view/Argus/ Thin Client Software http://www.sun.com/software/sunray/ Sun Microsystems GmbH http://www.sun.com/software/javadesktopsystem/
