rename user via PAM module?
Nicolas François
nekral.lists at gmail.com
Tue Jun 14 20:25:36 UTC 2011
Hello,
On Tue, Jun 14, 2011 at 08:04:06PM +0200, Tomas Mraz wrote:
>
> There is no such module currently. Also there is a problem that some
> applications/services that call the PAM library do not work correctly in
> this situation. Typical example is the OpenSSH sshd that ignores the
> PAM_USER changes made by modules.
I've been looking for applications that support this. Are there some
examples?
shadow-utils has a patch in Debian to support it in su, but I've been
reluctant to push it to the upstream trunk because I'm unsure how an
application shall react.
First from a formal point of view, the documentation cannot be correct:
PAM_USER
The username of the entity under whose identity service will be given. That
is, following authentication, PAM_USER identifies the local entity that
gets to use the service. Note, this value can be mapped from something
(eg., "anonymous") to something else (eg. "guest119") by any module in the
PAM stack. As such an application should consult the value of PAM_USER
after each call to a PAM function.
As the PAM_USER value is received with a PAM function, PAM_USER should not
be checked after each call to a PAM function ;)
More seriously, I think the list of APIs which could change PAM_USER
should be restricted.
With shadow-utils' su, the following PAM sequence is used. I've tried to
define how I could react to a change of PAM_USER (this is not necessarily
what su does).
1. pam_authenticate
If PAM_USER changes, I do not really care. PAM_USER is documented to
be the authenticated user. I can continue running the command as the
requested user. (In case of sudo, this might be clearer because the
authenticated user and the user used to execute the command are
clearly separated).
2. pam_acct_mgmt
3. (pam_chauthtok)
PAM_USER would still be the authenticated user (i.e. the account of
the authenticated user is checked, not the account of the user the
command is going to be run as)
4. pam_setcred
PAM_USER needs to be set to the name of the user we want to run the
command as before calling pam_setcred.
If pam_setcred changes PAM_USER I would have a problem because
(pam_setcred manpage) the UID and GID credentials need to be set
before. (which I do not do for UID because I need pam_open_session to
run as root)
5. pam_open_session
For the same reason, pam_setcred need to be called before
pam_open_session.
6. pam_getenvlist
It is definitely too late to take any PAM_USER changes into
consideration at this time.
My feeling is that PAM_USER can only indicate the authenticated user and
should not be changed outside of pam_start, pam_authenticate,
pam_acct_mgmt, pam_chauthtok, pam_set_item (when called explicitly to
change PAM_USER)
Applications which are asked to authenticate and execute as different
users have to set PAM_USER before pam_setcred.
For the other applications, I see 2 possibilities:
a] reset PAM_USER before pam_setcred.
Maybe check PAM_USER during the authentication so that the right
information appears in the log files.
b] Use the new PAM_USER to execute the command, and log the right
information in the log files.
In case of su, I would be tempted by a] and in case of login, I would be
tempted by b]
Any hint?
Best Regards,
--
Nekral
More information about the Pam-list
mailing list