The Linux-PAM modules will need to determine the identity of the user who requests a service, and the identity of the user who grants the service. These two users will seldom be the same. Indeed there is generally a third user identity to be considered, the new (assumed) identity of the user once the service is granted.
The need for keeping tabs on these identities is clearly an issue of
security. Basically, the identity of the user requesting a service
should be the current uid
(userid) of the running process; the
identity of the privilege granting user is the euid
(effective
userid) of the running process; the identity of the user, under whose
name the service will be executed, is given by the contents of the
PAM_USER
pam_get_item(2)
.
In addition the identity of a remote user, requesting the service from
a distant location, will be placed in the PAM_RUSER
item.