More on what’s wrong with PAM

In my all-that’s-wrong-with-PAM post I should have mentioned logindevperm: the setting of ownership and permissions on the devices that make up the login “seat”.  This is a classic thing that PAM should do but typically doesn’t.

What else does PAM not do that it should?  On Solaris, for example: utmpx and /var/lastlog handling.

There’s all sorts of code in /bin/login and GDB that should be in PAM modules instead.  For example, loading and saving of session preferences in GDM, which one would think should be entirely specific to GDM, but which interacts with authentication in very special ways: it may not be possible to even attempt to access a user’s home directory until after the user’s Kerberos (or whatever) credentials are available), in which case what should GDM do for dealing with avatar images and session preferences?  Right, GDM should (and does) use /var as a cache prior to having home directory access.  But with rich enough conversations we could do all of this work in the modules — GDM-specific modules, perhaps, but then, most of these session preferences are actually generic, as are avatar pics.

If enough of these things move into PAM, and if we use a model where the login process spawns user processes, then we can collapse all of pam_authenticate(), pam_acct_mgmt(), pam_chauthtok(), pam_setcred(), and pam_open_session into one function — a simpler API for sure!

~ by nico on February 13, 2012.

One Response to “More on what’s wrong with PAM”

  1. this is not strictly PAM related, but have you seen how OSX handles login? they use an LDAP directory by default and they store some of the preferences there, for example the avatar image.
    I have not seen how that is done but i’m guessing it wouldn’t be trivial to port would it?

Leave a Reply

Your email address will not be published. Required fields are marked *