SYNOPSIS

       auth optional   pam_securitysession.so
       auth sufficient pam_securitysession.so
       auth required   pam_securitysession.so
       auth requisite  pam_securitysession.so

DESCRIPTION

       In  Mac  OS  X's security model, Apple introduced an additional program
       group division (beyond traditional sessions (see setsid(2)) and process
       groups  (see  setpgid(3))) - the SecuritySession.  Each login automati-
       cally gets a SecuritySession and a unique SecuritySession  ID.   Memory
       cannot  be  shared  directly  between SecuritySessions - a kernel space
       intermediary must be available.  This design makes SecuritySessions  an
       ideal  tool for several uses.  Unfortunately, cases exist where a users
       SecuritySession is propogated undesirably - most  notably,  when  using
       sudo.

       To  avoid carrying session associated rights (like Kerberos credentials
       & AFS tokens) along when performing privileged operations,  pam_securi-
       tysession.so  can  be inserted into the pam authentication sequence.  A
       new security session will be created (if set as required or requisite ,
       inability to create a new session will cause authentication to fail, if
       set as sufficient , ANY USER will be granted rights.  The author's sug-
       gestion is to use optional , which will not fail if a session cannot be
       created, and will never grant a user access - another module will  have
       to do that).

ARGUMENTS

       None  yet  - if you have any suggestions, please either send them as an
       email or patch the source and send the patch file!

FILES

       /usr/lib/pam/pam_securitysession.so

SEE ALSO

       pam(8)




Phil Holland <hollandp@umich.edu>    1.0a            pam_securitysession.so(8)