bug-cvs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PAM support lacks pam_setcred() call

From: Steve McIntyre
Subject: Re: PAM support lacks pam_setcred() call
Date: Mon, 20 Oct 2003 20:48:25 +0100
User-agent: Mutt/1.5.4i 
On Mon, Oct 20, 2003 at 11:16:18AM -0700, Marc Singer wrote:
>CVSs PAM support does not make the pam_setcred() call.  The
>pam_group.so module uses this call to add UNIX groups to the user's
>process privileges.  In addition, the pam_setcred() call requires
>PAM_TTY to be set.
>
>I've explored the problem enough to have discovered the root cause of
>pam_group.so failing.  However, it is not sufficient to add these
>calls.  The switch_to_user() call in CVS obliterates the group
>privileges added by pam_group.so.  So, it seems that there is a more
>fundamental problem with the way that PAM is used in CVS.
>
>In mail exchanges with Steve McIntyre, it is clear that there are some
>pending changes to the way that CVS uses PAM, e.g. adding PamAuth
>option to CVSROOT/config.  This pam_setcred() problem, too, may
>indicate that further changes are necessary.

Yes. The PamAuth thing is an addition I've made for the Debian
package. Brian, I think we need to look at PAM a little more to see
what other features people want/need... :-(

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
Into the distance, a ribbon of black
Stretched to the point of no turning back

Attachment: signature.asc
Description: Digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]