help with running popen
Kris Deugau
kdeugau at vianet.ca
Thu Apr 5 15:37:45 UTC 2007
>> This doesn't really look like a PAM question, exactly; although PAM and
>> whatever calls it will determine which UID and GID your module starts
>> executing as.
>>
>> gpg is a bad example; it's much more paranoid about the (E)UID and
>> (E)GID it runs under. I don't think sudo will go quite far enough. Check
>> the command you're trying to run manually; run it as root, as a "full"
>> regular user, and as a restricted user like nobody. You'll probably have
>> to do some additional (E)UID/(E)GID tweaking to get your module running
>> as the correct UID/GID for what you want to accomplish.
>>
>> -kgd
ronald de la cruz wrote:
> thanks for the reply...but my only problem is adding the 'sudo' in popen.
> if i run it without sudo, there's no problem...
>
> my main concern is how the PAM module will accept that sudo.
The second paragraph of my reply still applies; gpg is very particular
about the UID, EUID, GID, and EGID it finds itself running under. sudo
doesn't quite set everything perfectly IIRC - you *will* need to
explicitly set the UID, EUID, GID, and/or EGID (one or more, depending
on what's not set correctly for what you want to accomplish).
There's nothing special about PAM that I know of that limits sudo in any
way; about the only thing I can think of is trouble determining which
user is apparently *calling* sudo so you can add the appropriate entries
to /etc/sudoers so that your command runs as the correct user.
A better idea of what your module is trying to accomplish would probably
help the PAM gurus on the list give you some more specific advice; my
recommendations come from trying to get gpg to run in a certain manner
from a setuid Perl script. Among other problems I ran into, I found
that sudo did NOT go far enough in setting the EUID to the correct user
for my use of gpg.
-kgd
More information about the Pam-list
mailing list