Debian Weekly News

Debian Weekly News

My understanding was that PAM is exclusively an authentication mechanism. Authorization (and audit, to complete the gold standard) is a separate thing, to be verified once you know *who* a principal is. The authorization mechanism in Linux is generally pretty simplistic, unless you add something like SELinux. I'd bet that SELinux could be used to set up the rights that you mention, though how easy it would be is another matter. For instance, if you allow FTP, does that give the user a way to get a shell?

There's definitely room for improvement, but then isn't there always?