Authentication and authorization with PAM

[JCA]

On Sat, Jul 25, 2015 at 6:04 AM, Alan DeKok <aland at deployingradius.com> wrote:
> On Jul 24, 2015, at 6:49 PM, JCA <1.41421 at gmail.com> wrote:
>> I have a Linux L system in which the password authentication is
>> carried out against a remote RADIUS server R by means of PAM in L.
>
>   OK...
>
>> This works as expected, but I would like to use this mechanism to do
>> authorization chores, besides the authentication ones.
>
>   PAM doesn't really do authorization.
>
>> As part of a
>> successful authentication, R will send back to L (in addition to the
>> successful authentication packet) a series of attributes that L will
>> interpret as authorization parameters - e.g. a list of groups that the
>> user that has been authenticated is to belong to.
>
>   What's with the one letter acronyms?  It just makes things harder to understand.

It's for conciseness - it's simpler to write R than "RADIUS server"
every time. My apologies if this misled you.

>
>   And PAM doesn't do group membership.  NSS does group membership.
>
>> My understanding is that the PAM RADIUS module pam_radius.so is the
>> one that interacts with the RADIUS server, and it therefore behooves
>> this module to interpret the authentication information, and act on
>> it. Looking into the documentation for the current pam_radius.so
>> module, it would seem that it contains no support for this - i.e. in
>> order to accomplish what I am describing I need to develop a PAM
>> RADIUS of my own. Is this correct?
>
>   What you want is impossible to do.  PAM is designed to do authentication.  You CANNOT set group membership with PAM.

You can't, or you shouldn't? What prevents one from writing a PAM
module (or modifying an existing one) so that it will receive group
information from the RADIUS server and modify /etc/group accordingly
before returning to the caller?