[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: new pam_keylogin module



Thorsten Kukuk wrote:
> The other question, I change the UID and reset it. Is may solution
> correct, could there be a security problem, or is there a better
> solution ?

[from pam_keylogin.c]:

  saved_uid = getuid ();
  if (seteuid (user_pwd->pw_uid) < 0)
    return PAM_SUCCESS;
  status = key_setsecret (secret);
  seteuid (saved_uid);

Shouldn't the first line be 'saved_uid = geteuid()' since this is the
one you are setting/resetting?  I've been trying to encourage the convention
that the EUID is that of the user granting permissions (generally root) and
the UID is the user requesting the permission ('morgan' in the case I type
'su andrew') -- there are a few paragraphs about this in the applications
developer documentation:

http://parc.power.net/morgan/Linux-PAM/Linux-PAM-html/pam_appl-4.html#ss4.4

Cheers

Andrew
-- 
               Linux-PAM, libpwdb, Orange-Linux and Linux-GSS
                  http://parc.power.net/morgan/index.html



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []