[PATCH] pam_exec questions and possible patch
Aaron Cohen
aaron at assonance.org
Mon Mar 26 16:44:11 UTC 2007
On 3/26/07, Thorsten Kukuk <kukuk at suse.de> wrote:
> On Mon, Mar 26, Aaron Cohen wrote:
>
> > >No, it is not pointless as your own tests shows and it has a huge
> > >difference, if you are doing a fork()/exec*() call.
> > >After exec*() on Linux the effective uid of the new process is the
> > >old real uid.
> >
> > This is entirely false. Linux does nothing to change either ruid or
> > euid on exec.
>
> Sorry, I should have read first my notes. At first, POSIX defines
> some cases where ruid/euid could be changed on exec, but not sure
> if this is supported by Linux at all. I don't think so.
>
> Replace "Linux" with "make". The culprint where some applications
> like make, which seem to depend on the real UID and not on the
> effective one.
> The simpelst solution to see this is to setup a NIS server and
> use the example from the manual page. You will see a big difference
> if you use "seteuid" or not. If you don't specify "seteuid",
> everything in the Makefile will be executed with the effective uid
> set to the ruid.
>
> This option was not added for fun, but for problems found by real
> world usage of this module.
>
> Thorsten
>
OK, I'm aware of at least oracle that seems to pay attention to the
real user id rather than to the effective one as well so that make
sense. It seems weird to me that an option called seteuid is more
concerned with setting the Ruid than the Euid though.
My most recent patch actually left around the seteuid option for
compatibility. I think run_as_user=root would also do the same thing
in a more clear manner though (assuming the calling process has euid
of root as it will in most cases). Also, run_as_user with no user
specified is useful to me as an admin in securely forcing my users to
run things at login (synchronize their home directories with a backup
server in this case).
I do actually need the environment variable portion of my patch for my
scheme to work (or some equivalent) and it seems useful to me in
general. What do you think?
Aaron
More information about the Pam-list
mailing list