[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_mkhomdir fix(ldap, su problem)



On Sun, 2003-07-06 at 18:27, Ethan Benson wrote:
> On Mon, Jul 07, 2003 at 12:04:33AM +0200, Troels Liebe Bentsen wrote:
> > On Sun, 2003-07-06 at 23:35, Ethan Benson wrote:
> > > On Sun, Jul 06, 2003 at 09:25:15PM +0200, Troels Liebe Bentsen
wrote:
> > > > 3. pam_mkhomedir is called, the effective uid is still root, and
the
> > > >    real uid is now the one of the users we su'ed to(eg. test).
But since
> > > >    we on linux have fsuid/fsgid and this is used for filesystem
access, 
> > > >    this makes it imposible for us to create a directory under
/home 
> > > >    because is owned by root and set to 750.
> > 
> > Sorry I was suppose to be 755.(as wrong i mail, correct on
filesystem)
> > >                                         ^^^^^
> > 
> > > there is no security threat from /home being world readable
anyway,
> > > users should set perms on thier home directory to reflect the
level of
> > > privacy they desire.
> > You are quite correct on all points and I do agree with them.
> > 
> > But world-writable would not be a good idea as required by the
current
> 
> i said world readable not world writable.
> 
> > code. fsuid/fsgid is still set to the user we are su'ing to. And to
make
> > it possible to create a home directory ,would require world writable
> > permissions on home.
> 
> i really think this is a configuration problem, a great many people
> have used this module without problems.

  I've had the same prolem as Troels. It really appears that the
problems depend on what user the pam_mkhomedir module is run as. For
instance, it works fine with older versions of sshd without priviledge
separation where it runs as root, but it fails under the newer sshd with
priv_sep, and it appears that pam_mkhomedir is being run as the user
instead of root. If I am correct about this, then it makes sense that
the pam_mkhomedir would fail under the prov_sep version of sshd, since a
normal user will *not* be able to write to /home to create his home
directory. 
  So the issue for me and Troels is: how can we force pam_mkhomedir to
run as root so that it will be able to work with the file permissions on
/home to create the home directory?

High Mobley




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []