Re: OpenBSM questions
On Sat, 14 Jul 2007, Garrett Wollman wrote:
> <<On Sat, 14 Jul 2007 16:45:14 +0100 (BST), Robert Watson
> <rwatson@freebsd.org> said:
>
>> This is correct -- login services must be modified to properly set up user
>> audit state at login. I am not familiar with work relating to this with
>> xdm, kdm, gdm, etc, but it would be very good to see this happen.
>
> Surely this is something that belongs in a PAM module...? The whole point
> of the PAM framework is that you should *not* have to modify every program
> that does a login when new mechanisms are introduced or policy changes.
Setting login state is not the only thing that audit does. Audit requirements
also exist to audit failures in the login process that may be entirely
unrelated to authentication.
That said, I'm not 100% sure that the audit state, leaving aside the auditing
of login events, couldn't be done in a PAM module. An interesting question is
why the rest of the UNIX credential is also not set up using PAM -- see calls
to setlogin(2), setusercontext(3), etc, in login.c and other things involved
in login.
Robert N M Watson
Computer Laboratory
University of Cambridge
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)