From: Karel Zak <kzak@redhat.com>
To: "Pádraig Brady" <P@draigBrady.com>
Cc: util-linux <util-linux@vger.kernel.org>,
Ludwig Nussel <ludwig.nussel@suse.de>
Subject: Re: runuser(1) and su(1) -g/-G
Date: Wed, 5 Sep 2012 10:44:57 +0200 [thread overview]
Message-ID: <20120905084457.GA32623@x2.net.home> (raw)
In-Reply-To: <50465BEE.7070005@draigBrady.com>
On Tue, Sep 04, 2012 at 08:52:14PM +0100, Pádraig Brady wrote:
> Thanks for doing all that Karel.
> I've not time to look now,
> but will note that many were looking for
> a lightweight option that didn't need PAM.
I know, it should be the second step.
> Perhaps PAM support could be easily compiled out?
Not yet. The patch will be pretty simple, all we need is to add
something like #ifdef BUILD_LIGHTWEIGHT_RUNUSER to
create_watching_parent() and authenticate().
Volunteers? (I'm going to spend this week with coverity scanner...)
Note that we will support PAM-only su(1), maintain alternative
authentication code in utils like su(1), login(1), ... is nonsense.
If you don't like modular PAM then you can rebuild libpam with
statically linked modules (result is still shared library, but without
dlopen()).
The command runuser(1) is different as there is no authentication at
all -- it's just wrapper around setuid/gid, and it uses PAM for
session setup only.
Karel
--
Karel Zak <kzak@redhat.com>
http://karelzak.blogspot.com
next prev parent reply other threads:[~2012-09-05 8:45 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-04 15:18 runuser(1) and su(1) -g/-G Karel Zak
2012-09-04 19:52 ` Pádraig Brady
2012-09-05 8:44 ` Karel Zak [this message]
2012-09-05 12:38 ` Dave Reisner
2012-09-05 21:28 ` Dave Reisner
2012-09-07 12:07 ` Karel Zak
2012-09-07 12:39 ` Pádraig Brady
2012-09-07 13:09 ` Adam Sampson
2012-09-13 10:12 ` Karel Zak
2012-09-07 12:47 ` Dave Reisner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120905084457.GA32623@x2.net.home \
--to=kzak@redhat.com \
--cc=P@draigBrady.com \
--cc=ludwig.nussel@suse.de \
--cc=util-linux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).