bsd-auth: More docs for auth_approval, fix error in auth_call docs

1 files changed, 7 insertions, 3 deletions

diff --git a/content/posts/WIP-how-bsd-authentication-works/index.org b/content/posts/WIP-how-bsd-authentication-works/index.org
index 01919e8..ba56274 100644
--- a/content/posts/WIP-how-bsd-authentication-works/index.org
+++ b/content/posts/WIP-how-bsd-authentication-works/index.org
@@ -1449,8 +1449,8 @@
   _add_rmlist(as, line);
   #+end_src
 
-  After scanning is complete, the resulting status is checked against
-  a bitmask to ensure the result is either only accept or only reject.
+  After scanning is complete, the exit status of the process is
+  checked. A non-zero exit status means the request will get denied.
 
   An =okay= value is then defined by masking the state with the value
   =AUTH_ALLOW=.
@@ -2273,7 +2273,11 @@
   @@html: </details> @@
 
   =auth_approval= is used to check user =name= against approval script
-  for service =type=.
+  for service =type=. According to the man pages, approval scripts are
+  generally much simpler than the full login modules used by the other
+  functions. They often run with limited information and instead of
+  explicitly allowing or denying users with specific conditions, they
+  may either exit with a zero or non-zero status to signal approval.
 
   <<here>>