[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_mkhomdir fix(ldap, su problem)



After reading some more information on pam and finding nothing about
when and where to drop privileges. This is properly the closest to
something useful I could find on this topic. The example under would not
work unless privileges was drooped after a pam_session_open. Also the
last part implies that you will need root privileges.

>From http://wwws.sun.com/software/solaris/pam/man_pam.pdf: page 14 (or
16 if you use google).

"In many instances, the pam_open_session( ) and pam_close_session( )
calls may be made by different processes. For example, in UNIX the
login process opens a session, while the init process closes the
session. In this case, UTMP/WTMP entries may be used to link the call to
pam_close_session( ) with an earlier call to pam_open_session( ). This
is possible because UTMP/WTMP entries are uniquely identified by a
combination of attributes, including the user login name and device
name, which are accessible through the PAM handle, pamh. The call to
pam_open_session( ) should precede UTMP/WTMP entry management and the
call to pam_close_session( ) should follow UTMP/WTMP exit management."


/Troels.

On Mon, 2003-07-07 at 18:45, Steve Langasek wrote:
> On Sun, Jul 06, 2003 at 08:35:38PM -0800, Ethan Benson wrote:
> > On Sun, Jul 06, 2003 at 05:54:58PM -0500, Steve Langasek wrote:
> 
> > > Convince the OpenSSH maintainers that the current behavior is incorrect,
> > > and get them to change it.
> 
> > who says its incorrect?  not the pam docs.  pam_session running as
> > root has always been an assumption.
> 
> I say it's incorrect; because if it's not incorrect, it's nevertheless
> all but useless.
> 
> pam_mkhomedir: create user homedir upon session start.  Requires
> write-access to a directory that /should/ be root-only writeable.
> 
> pam_radius: logs connection information to a RADIUS accounting server.
> Requires access to the RADIUS shared secret.  Root-only.
> 
> pam_console: grant locally logged-in users access to certain devices.
> Requires root access to change file permissions.
> 
> pam_lastlog: writes to /var/log/lastlog.  Root only.
> 
> And strangely, I can't find such a module at the moment; but another
> obvious application for open/close session is utmp/wtmp logging.
> 
> So as long as you only care about trivial modules like pam_mail and
> pam_env, sure; running pam_session without privileges works just fine.
> 
> > its less convenient, but also much safer, always a tradeoff.
> 
> So don't run untrusted PAM modules.  This choice should be made by the
> administrator, not by the programmer.




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []