[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: new pam_keylogin module

Thorsten Kukuk wrote:
> The other question, I change the UID and reset it. Is may solution
> correct, could there be a security problem, or is there a better
> solution ?

[from pam_keylogin.c]:

  saved_uid = getuid ();
  if (seteuid (user_pwd->pw_uid) < 0)
    return PAM_SUCCESS;
  status = key_setsecret (secret);
  seteuid (saved_uid);

Shouldn't the first line be 'saved_uid = geteuid()' since this is the
one you are setting/resetting?  I've been trying to encourage the convention
that the EUID is that of the user granting permissions (generally root) and
the UID is the user requesting the permission ('morgan' in the case I type
'su andrew') -- there are a few paragraphs about this in the applications
developer documentation:



               Linux-PAM, libpwdb, Orange-Linux and Linux-GSS

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []