From mboxrd@z Thu Jan 1 00:00:00 1970 From: Daniel J Walsh Subject: Re: Place to call pam_loginuid in the pam session stack Date: Tue, 22 Apr 2014 16:10:46 -0400 Message-ID: <5356CCC6.4020408@redhat.com> References: <20140422193044.1778e7b5@fornost.bigon.be> <3716388.pv1iY2ROQ0@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <3716388.pv1iY2ROQ0@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb , linux-audit@redhat.com List-Id: linux-audit@redhat.com On 04/22/2014 02:59 PM, Steve Grubb wrote: > On Tuesday, April 22, 2014 07:30:44 PM Laurent Bigonville wrote: >> Hello, >> >> This is maybe a dumb question, but is there any preferred place in the >> pam session stack to call pam_loginuid? >> >> Is it preferable to call it just after "pam_selinux close" or is any >> place OK? I guess the sooner the better so the needed information are >> present to audit what the other pam modules are doing? > I think that as long as its set before a user can cause any action to occur on > their behalf is all that is required. If there is a pam module that looks in a > user's home directory for settings and then does something based on that, then > you'd need to set it before that module. > > -Steve > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit Well that is the goal of pam_selinux open also. So it should either be right before or right after.