Re: Question on PAM system-auth

From: jpd <read_the_sig@xxxxxxxxxxxxxxxxxxxxxx>
Date: 30 May 2008 15:20:56 GMT

Begin <48401627$0$7714$4c368faf@xxxxxxxxxxxxxx>
On Fri, 30 May 2008 10:59:58 -0400, Wayne <nospam@xxxxxxxxxxxxxx> wrote:

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

[snip]

If I understand this correctly the first line requirs a valid,
unexpired user account. The last three lines don't seem to do
anything! That is, if the first line succeeds the last three can never
have no effect.

PAM always confuses me, but this I probably can give a correct answer to.
Looking at pam.conf(5), it says:

required If this module succeeds, the result of the chain will be suc-
cess unless a later module fails. If it fails, the rest of
the chain still runs, but the final result will be failure
regardless of the success of later modules.

So, regardless of success or failure of the first line, further rules
are run. If the first rule fails, the entire rule will fail regardless
of outcome of later rules, but provided the first one succeeded, you
still need an absence of failure in later modules for an overall
success.

Contrast this with

sufficient If this module succeeds, the chain is broken and the result
is success. If it fails, the rest of the chain still runs,
but the final result will be failure unless a later module
succeeds.

Here, success on this module means no further checking. Failure means
further checks are done to see if later modules won't succeed.

Reading the above lines again, I'd instead say that the middle two don't
contribute much because the last line unconditionally succeeds. Failure
in the first line, however, means an overall failure regardless of
outcome on later lines. As I said, PAM confuses me, so ICBW.

--
j p d (at) d s b (dot) t u d e l f t (dot) n l .
This message was originally posted on Usenet in plain text.
Any other representation, additions, or changes do not have my
consent and may be a violation of international copyright law.
.

References:
- Question on PAM system-auth
  - From: Wayne

Prev by Date: Re: Nameserver Timeouts
Next by Date: Re: Nameserver Timeouts
Previous by thread: Question on PAM system-auth
Index(es):
- Date
- Thread

Relevant Pages

[PATCH 3/3] Add section on function return values to CodingStyle
... for failure and non-zero for success as opposed to a negative ... error code for failure and 0 for success. ... and the pci_dev_presentfunction returns 1 if it succeeds in ...
(Linux-Kernel)
Re: OT: Obama sets "top salary" for Executives that take Stimulus money
... The problem with government is that those that fail have no penalty ... ... government failures get more money if they have political clout ... ... When government rewards failure of business, we get the worst of both ... If the program obviously succeeds in its intended purpose, ...
(rec.gambling.poker)
Re: Rush Limbo prays for the USofA to slide into a Second Great Depression
... succeeds. ... know what his plans are, ... everything about the limbaugh hannity folks are what killed the ... hardship and failure then they don't deserve any courtesy. ...
(alt.politics)
Re: Lost cities of the future
... colonisation effort which will eventually be abandoned. ... If the failure allows a second generation of pioneers or entrepreneurs to buy/utilize/salvage or otherwise make use of the first generations failure that succeeds because that failure allows the second mover to pick up the remnant infrastructure cheaply or even for free. ... If they went into it intending to make money, then there's an economic motivation, whether they succeeded or not. ...
(rec.arts.sf.written)