Pam-list Digest, Vol 38, Issue 1

Tue Apr 3 17:59:30 UTC 2007

pam-list-request at redhat.com wrote:
> Send Pam-list mailing list submissions to
> 	pam-list at redhat.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://www.redhat.com/mailman/listinfo/pam-list
> or, via email, send a message with subject or body 'help' to
> 	pam-list-request at redhat.com
>
> You can reach the person managing the list at
> 	pam-list-owner at redhat.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Pam-list digest..."
>   
> ------------------------------------------------------------------------
>
> Today's Topics:
>
>    1. help with running popen (ronald de la cruz)
>    2. Re: help with running popen (Kris Deugau)
>   
>
> ------------------------------------------------------------------------
>
> Subject:
> help with running popen
> From:
> "ronald de la cruz" <rcdelacruz at gmail.com>
> Date:
> Tue, 3 Apr 2007 17:27:11 +0800
> To:
> pam-list at redhat.com
>
> To:
> pam-list at redhat.com
>
> Precedence:
> junk
> MIME-Version:
> 1.0
> Reply-To:
> Pluggable Authentication Modules <pam-list at redhat.com>
> Message-ID:
> <42255b6c0704030227h7bdb0d4csad039934c902a449 at mail.gmail.com>
> Content-Type:
> multipart/alternative; boundary="----=_Part_5495_12844550.1175592431070"
> Message:
> 1
>
>
> hi there...im writing a pam module with encryption using gpg.
> im trying to use popen() to run external command like gpg.
> FILE *fp
> fp = popen("sudo gpg -ear....", "r");
>
> the problem is, im trying to run this with the sudo command
> but the pam module won't accept it,
> the error is
>
> sudo: gpg: commant not found
>
>
> please help i really need to run gpg with sudo
>
> -- 
> ronald de la cruz
> ------------------------------------------------------------------------
>
> Subject:
> Re: help with running popen
> From:
> Kris Deugau <kdeugau at vianet.ca>
> Date:
> Tue, 03 Apr 2007 10:56:53 -0400
> To:
> Pluggable Authentication Modules <pam-list at redhat.com>
>
> To:
> Pluggable Authentication Modules <pam-list at redhat.com>
>
> Content-Transfer-Encoding:
> 7bit
> Precedence:
> junk
> MIME-Version:
> 1.0
> References:
> <42255b6c0704030227h7bdb0d4csad039934c902a449 at mail.gmail.com>
> In-Reply-To:
> <42255b6c0704030227h7bdb0d4csad039934c902a449 at mail.gmail.com>
> Reply-To:
> Pluggable Authentication Modules <pam-list at redhat.com>
> Message-ID:
> <46126B35.4020308 at vianet.ca>
> Content-Type:
> text/plain; charset=ISO-8859-1; format=flowed
> Message:
> 2
>
>
> This doesn't really look like a PAM question, exactly;  although PAM
> and whatever calls it will determine which UID and GID your module
> starts executing as.
>
> ronald de la cruz wrote:
>> hi there...im writing a pam module with encryption using gpg.
>> im trying to use popen() to run external command like gpg.
>> FILE *fp
>> fp = popen("sudo gpg -ear....", "r");
>>
>> the problem is, im trying to run this with the sudo command
>> but the pam module won't accept it,
>> the error is
>>
>> sudo: gpg: commant not found
>>
>>
>> please help i really need to run gpg with sudo
>
> gpg is a bad example;  it's much more paranoid about the (E)UID and
> (E)GID it runs under.  I don't think sudo will go quite far enough.
>
> Check the command you're trying to run manually;  run it as root, as a
> "full" regular user, and as a restricted user like nobody.  You'll
> probably have to do some additional (E)UID/(E)GID tweaking to get your
> module running as the correct UID/GID for what you want to accomplish.
>
> -kgd
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
There are several things which i suspect:

First, popen() does not necessarily provide a PATH, so it's a good idea
to supply an absolute path 'gpg'.

Second, sudo needs a table of 'sudoers' to authorize against. Your
module will succeed only if you keep
this file up to date for ALL possible users :-(

Andreas

-- 
Dr.-Ing. Andreas Schindler

Alpha Zero One Computersysteme GmbH
Frankfurter Str. 141
63303 Dreieich

Telefon 06103-57187-21
Telefax 06103-373245

schindler at az1.de
www.az1.de