New policy type to check client credentials?
Michael Biebl
mbiebl at gmail.com
Fri Jan 30 13:31:44 PST 2009
2009/1/30 David Zeuthen <david at fubar.dk>:
> On Fri, 2009-01-30 at 19:28 +0100, Michael Biebl wrote:
>> Apparently this is used by admins with larger installations (mostly
>> ldap backed), where they assign group membership on login via
>> pam_group and current dbus fails for that.
>
> Maybe this is off-topic but it sounds to me like pam_group is vulnerable
> to the good old "once member of a group, always member of a group"
> problem [1]. If so, you really shouldn't be encouraging people to use
> such things.
I can think of reasons why pam_group is useful (scalability being one
and limitiations of users per group).
I also don't see how pam_group is any more *vulnerable* than static
group memberships via /etc/groups.
Cheers,
Michael
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
More information about the dbus
mailing list