help with running popen

[Kris Deugau]

>> This doesn't really look like a PAM question, exactly; although PAM and 
>> whatever calls it will determine which UID and GID your module starts 
>> executing as.
>> 
>> gpg is a bad example; it's much more paranoid about the (E)UID and 
>> (E)GID it runs under. I don't think sudo will go quite far enough. Check 
>> the command you're trying to run manually; run it as root, as a "full" 
>> regular user, and as a restricted user like nobody. You'll probably have 
>> to do some additional (E)UID/(E)GID tweaking to get your module running 
>> as the correct UID/GID for what you want to accomplish.
>> 
>> -kgd

ronald de la cruz wrote:
> thanks for the reply...but my only problem is adding the 'sudo' in popen.
> if i run it without sudo, there's no problem...
> 
> my main concern is how the PAM module will accept that sudo.

The second paragraph of my reply still applies;  gpg is very particular 
about the UID, EUID, GID, and EGID it finds itself running under.  sudo 
doesn't quite set everything perfectly IIRC - you *will* need to 
explicitly set the UID, EUID, GID, and/or EGID (one or more, depending 
on what's not set correctly for what you want to accomplish).

There's nothing special about PAM that I know of that limits sudo in any 
way;  about the only thing I can think of is trouble determining which 
user is apparently *calling* sudo so you can add the appropriate entries 
  to /etc/sudoers so that your command runs as the correct user.

A better idea of what your module is trying to accomplish would probably 
help the PAM gurus on the list give you some more specific advice;  my 
recommendations come from trying to get gpg to run in a certain manner 
from a setuid Perl script.  Among other problems I ran into, I found 
that sudo did NOT go far enough in setting the EUID to the correct user 
for my use of gpg.

-kgd