IRC channel logs


back to list of logs

<PurpleSym>rekado: Oh, I see. Is that a problem currently? I never tested PAM authentication (i.e. running rserver/rsession with different users).
<rekado>it’s a problem for me
<rekado>because I was just about to deploy RStudio Server from Guix on a bunch of servers.
<rekado>PAM authentication works fine on RHEL with pamtester
<rekado>I launch rserver with --auth-pam-helper-path=/usr/local/bin/rstudio-pam-helper
<rekado>that’s a script that only does this: exec /bin/pamtester rstudio $1 authenticate
<rekado>it uses the “rstudio” PAM settings (first argument to pamtester), followed by the username, and tries to authenticate the user.
<rekado>the return value of the script is what RStudio uses to deny or grant access
<rekado>it’s very simple
<rekado>this little bug means that people are unable to actually switch R versions when rserver runs as a different user account.
<rekado>that’s because we write to their own “active session” and then attempt to read from root’s non-existent session
<rekado>it doesn’t outright throw an error; switching versions just has no effect
<PurpleSym>Ah, okay, I see. I thought we’d have to actually link rserver against pam.
<rekado>no, luckily we don’t have to. --auth-pam-helper-path could be set to *anything*, but for integration with existing PAM policies it should be something that links with the system’s PAM. The system-installed pamtester fits the bill.