rename user via PAM module?

Nicolas François nekral.lists at gmail.com
Tue Jun 14 20:25:36 UTC 2011


Hello,

On Tue, Jun 14, 2011 at 08:04:06PM +0200, Tomas Mraz wrote:
> 
> There is no such module currently. Also there is a problem that some
> applications/services that call the PAM library do not work correctly in
> this situation. Typical example is the OpenSSH sshd that ignores the
> PAM_USER changes made by modules. 

I've been looking for applications that support this. Are there some
examples?

shadow-utils has a patch in Debian to support it in su, but I've been
reluctant to push it to the upstream trunk because I'm unsure how an
application shall react.

First from a formal point of view, the documentation cannot be correct:

PAM_USER

    The username of the entity under whose identity service will be given. That
    is, following authentication, PAM_USER identifies the local entity that
    gets to use the service. Note, this value can be mapped from something
    (eg., "anonymous") to something else (eg. "guest119") by any module in the
    PAM stack. As such an application should consult the value of PAM_USER
    after each call to a PAM function.

As the PAM_USER value is received with a PAM function, PAM_USER should not
be checked after each call to a PAM function ;)



More seriously, I think the list of APIs which could change PAM_USER
should be restricted.

With shadow-utils' su, the following PAM sequence is used. I've tried to
define how I could react to a change of PAM_USER (this is not necessarily
what su does).
 1. pam_authenticate
    If PAM_USER changes, I do not really care. PAM_USER is documented to
    be the authenticated user. I can continue running the command as the
    requested user. (In case of sudo, this might be clearer because the
    authenticated user and the user used to execute the command are
    clearly separated).
 2. pam_acct_mgmt
 3. (pam_chauthtok)
    PAM_USER would still be the authenticated user (i.e. the account of
    the authenticated user is checked, not the account of the user the
    command is going to be run as)
 4. pam_setcred
    PAM_USER needs to be set to the name of the user we want to run the
    command as before calling pam_setcred.
    If pam_setcred changes PAM_USER I would have a problem because
    (pam_setcred manpage) the UID and GID credentials need to be set
    before. (which I do not do for UID because I need pam_open_session to
    run as root)
 5. pam_open_session
    For the same reason, pam_setcred need to be called before
    pam_open_session.
 6. pam_getenvlist
    It is definitely too late to take any PAM_USER changes into
    consideration at this time.

My feeling is that PAM_USER can only indicate the authenticated user and
should not be changed outside of pam_start, pam_authenticate,
pam_acct_mgmt, pam_chauthtok, pam_set_item (when called explicitly to
change PAM_USER)

Applications which are asked to authenticate and execute as different
users have to set PAM_USER before pam_setcred.

For the other applications, I see 2 possibilities:
 a] reset PAM_USER before pam_setcred.
    Maybe check PAM_USER during the authentication so that the right
    information appears in the log files.
 b] Use the new PAM_USER to execute the command, and log the right
    information in the log files.

In case of su, I would be tempted by a] and in case of login, I would be
tempted by b]

Any hint?

Best Regards,
-- 
Nekral




More information about the Pam-list mailing list