[PATCH] pam_exec questions and possible patch
Thorsten Kukuk
kukuk at suse.de
Thu Mar 22 06:23:07 UTC 2007
On Wed, Mar 21, Aaron Cohen wrote:
> I'm currently trying to use pam_exec to call a script to synchronize
> my home directories with a central server and have come across a
> couple of issues.
>
> Firstly, does pam_exec make any sense outside of the "session" section
> of pam.conf?
Yes, it makes. Only look at the example section of the manual page.
> It seems slightly hairy to me, because for instance if
> it's in the auth section a user could cause a program to be executed
> by another user by only unsuccessfully attempting to log in as that
> user.
Only an admin can configure this module, so it depends on what he
allows and what not.
> Secondly, is there any way to distinguish in the exec'ed program that
> the session is being opened or closed? I've finally created a simple
> patch that defines a PAM_SESSION_ACTION environment variable in the
> executed subprocess so that my script can do the correct actions.
>
> Thirdly, does the seteuid option actually work correctly?
Yes, it does. Please also look at the example section of the manual
page.
> It seems to
> me that it simply sets the effective user id to whatever the effective
> user id already was.
Correct, it sets the effective user id to the one of the calling
application.
> My patch changes this by setting the effective
> userid of the subprocess to the user id of the user who's session is
> being created if this option is specified.
This change breaks all available configurations, especially the example
from the manual page.
Please introduce new options, not change existing one.
Thorsten
--
Thorsten Kukuk, Project Manager Base System, Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)
More information about the Pam-list
mailing list