Recognize a Login Event

does not treat all attempts to change the user ID of a process as login events. Usually a program attempts to change its user ID with a setuid system call. The SURROGATE class controls these events, which are not necessarily considered login events. These events do not necessarily change the user identity from the point of view of .
capamsc141
PAM Server Control
does not treat all attempts to change the user ID of a process as login events. Usually a program attempts to change its user ID with a setuid system call. The SURROGATE class controls these events, which are not necessarily considered login events. These events do not necessarily change the user identity from the point of view of
PAM Server Control
.
PAM Server Control
 always preserves the original user identity-the identity with which the user logged in initially. Ordinary setuid system calls do not cause 
PAM Server Control
to register a change in user identity.
For 
PAM Server Control
to recognize the identity change, it must recognize this event as a login event. The product recognizes login events using the following rules:
  • The program that attempts to change the identity is defined as a
    login program
    . All programs in the LOGINAPPL class are login programs.
  • The program executes a series of system calls corresponding to its definition in the LOGINAPPL class.
When you begin an administration session (in selang or 
PAM Server Control
Endpoint Management), 
PAM Server Control
performs a dummy login event. This event is not a true login; rather, 
PAM Server Control
performs certain internal checks, which are similar to log in checks.
For more information, see the SEQUENCE property for the LOGINAPPL class in the
selang Reference Guide
.
At the start of an administration session, the user name is checked in the machine to be administered. You get access to this machine for administration only if you have WRITE access for the terminal from which you perform the session.
For example, if you are logged in to host Minerva and would like to administer 
PAM Server Control
on host Artemis, two conditions are necessary:
  • A TERMINAL object called Minerva (or the relevant fully qualified name) is in the database record for Artemis.
  • You are listed in the ACL of this object with WRITE permission.
These conditions are checked before  any other user authority check. You also need administrative authority in the database.