Re: [courier-users] calling session PAM modules
>On 06/09/2015 12:54 AM, Matus UHLAR - fantomas wrote: >> Although all other services do run those calls too, I found it still better >> to let admins load the system when they need it. On 09.06.15 09:54, Gordon Messmer wrote: >I don't think it's true that all other services run the session calls. >Typically, non-interactive services don't. For instance, "cvs," >"postgresql," and "smtp" (from Postfix) don't include any session >directives on the first server I looked at. mod_auth_pam for Apache >httpd doesn't invoke the session. I still don't get your point - where exactly do you see the problem? >It might be safe to do this in an authdaemon child process, but >typically the session calls would be invoked in the process that >actually becomes the user's session. In this case, imapd or pop3d. afaik, there ARE more authdaemon processes, and since the pam code is already in authdaemon, it apparently should not be put into imapd/pop3d. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Posli tento mail 100 svojim znamim - nech vidia aky si idiot Send this email to 100 your friends - let them see what an idiot you are -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] calling session PAM modules
On 06/09/2015 12:54 AM, Matus UHLAR - fantomas wrote: > Although all other services do run those calls too, I found it still better > to let admins load the system when they need it. I don't think it's true that all other services run the session calls. Typically, non-interactive services don't. For instance, "cvs," "postgresql," and "smtp" (from Postfix) don't include any session directives on the first server I looked at. mod_auth_pam for Apache httpd doesn't invoke the session. It might be safe to do this in an authdaemon child process, but typically the session calls would be invoked in the process that actually becomes the user's session. In this case, imapd or pop3d. -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] calling session PAM modules
>On 06/08/2015 05:01 PM, Sam Varshavchik wrote: >> That's another option. If that's all that pam session is used for, is to >> invoke the pam_mkhomedir.so module, this should work. On 08.06.15 22:34, Gordon Messmer wrote: >That's probably not a great idea while the pam configurations include >system-auth. It's standard setup on CentOS 7 looks like: [deleted] I agree - that's why I said "of course, only if admin sets it up, to prevent others from useless pam calls" Although all other services do run those calls too, I found it still better to let admins load the system when they need it. maybe env. variable (courier-style) that allows pam-session? >It might work better if authdaemond forked and ran the session bits in >the child process? But especially with systemd, it's worth benchmarking >the number of auth calls / second authdaemond can handle with and >without the session calls. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759 -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users