On Wed, Nov 19, 2008 at 12:40:01PM -0500, James Carlson wrote:
> Nicolas Williams writes:
> > It's called embedded_su(1M) :)
>
> I disagree. embedded_su was designed for applications that need to do
> the equivalent of 'su', but that need to do it from within some
> non-CLI environment. It's for the "click here and enter your admin
> password" GUI bits.
>
> In this case, we're not trying to *become* that UID at all. We don't
> care about the UID; it's irrelevant for the daemon. We care only
> about authenticating a user *name*.
embedded_su can do that just fine, just tell it to exec /bin/true (or
false) :)
But yes, I see the point, and I'll raise that embedded_su already has
much of the code you need to build an "authenticator daemon."
If you're trying to say "authenticate non-Unix users via PAM" that's
another story. In the past I've pushed that angle too, but it's never
caught on, and at least one ARC member, IIRC, strongly believes that PAM
is solely for *Unix user* authentication and not intended for
authenticating other types of users.
OTOH, I'm pretty sure that people have used Apache with mod_auth_pam to
implement authentication of non-Unix users, and have done so
successfully -- libpam itself doesn't care about what {PAM_SERVICE,
PAM_USER} refers to, it only knows how to run PAM_SERVICE and the rest
is up to the configuration for that service.
Nico
--
