The Linux-PAM modules will need to determine the identity of the user who requests a service, and the identity of the user who grants the service. These two users will seldom be the same. Indeed there is generally a third user identity to be considered, the new (assumed) identity of the user once the service is granted.
The need for keeping tabs on these identities is clearly an
issue of security. One convention that is actively used by
some modules is that the identity of the user requesting a
service should be the current UID
(user ID) of the running process; the identity of the
privilege granting user is the EUID
(effective user ID) of the running process; the identity of
the user, under whose name the service will be executed, is
given by the contents of the PAM_USER
pam_get_item(3). Note, modules can change the values of
PAM_USER and PAM_RUSER
during any of the pam_*()
library calls.
For this reason, the application should take care to use the
pam_get_item()
every time it wishes to
establish who the authenticated user is (or will currently be).
For network-serving databases and other applications that provide their own security model (independent of the OS kernel) the above scheme is insufficient to identify the requesting user.
A more portable solution to storing the identity of the requesting
user is to use the PAM_RUSER pam_get_item(3). The application should supply this value before
attempting to authenticate the user with
pam_authenticate()
. How well this name can be
trusted will ultimately be at the discretion of the local
administrator (who configures PAM for your application) and a
selected module may attempt to override the value where it can
obtain more reliable data. If an application is unable to determine
the identity of the requesting entity/user, it should not call
pam_set_item(3) to set PAM_RUSER.
In addition to the PAM_RUSER item, the application should supply the PAM_RHOST (requesting host) item. As a general rule, the following convention for its value can be assumed: NULL = unknown; localhost = invoked directly from the local system; other.place.xyz = some component of the user's connection originates from this remote/requesting host. At present, PAM has no established convention for indicating whether the application supports a trusted path to communication from this host.