-2

I want to use a python script to call it in the pam_exec module.

The first answer in this question says that I can't use a python script and a PAM module together.

First off - you cannot use python code as a PAM module, it has to be compiled code that satisfies certain interface requirements. See here for more info.

Here we are clearly given to understand that pam_exec is a PAM module.

pam_exec - PAM module which calls an external command

So is it possible to use python or not? (This also applies to my previous question.)

Santa Monica
  • 332
  • 3
  • 11
  • Why do I get cons? I asked a clear question and attached 2 links. To the official documentation, and to the answer on a similar topic on the same site. Moreover, the answer and documentation contradict each other. – Santa Monica Dec 03 '22 at 16:55
  • You can cite the comments with `>`. If you provide links without comments, StackOverflow user has to read all the documents to solve this question. – Constantin Hong Dec 03 '22 at 16:57

1 Answers1

1

The difference between the two answers you cite is because of how the script is used.

In the negative answer, the python script was listed directly as the PAM module. This will not work. PAM modules need to be shared objects, e.g. binary compiled code. The are directly linked into the running process that is uses PAM as needed. A Python script isn't compiled code.

In the positive answer, the PAM module used is pam_exec. pam_exec is a shared object:

/usr/lib64/security/pam_exec.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=d0c1dbb05c0689e3645193b45d3125d3b27b32ce, stripped

pam_exec then runs a program, which CAN be a Python script. Because it runs a program rather than dynamically linking to an shared object, it doesn't have the same limitation. This is the whole point of pam_exec really.

So yes, you can use Python, but you must pam_exec the script. Do be aware of this note from pam_exec, it's important:

Commands called by pam_exec need to be aware of that the user can have control over the environment.

TrentP
  • 4,240
  • 24
  • 35
  • "Commands called by pam_exec need to be aware of that the user can have control over the environment." Could you explain what this sentence means?And how it should affect my script. – Santa Monica Dec 05 '22 at 05:11