UNSUBSCRIBE
ThinkTank.at
office at ThinkTank.at
Wed Mar 13 07:57:32 UTC 2013
-----Ursprüngliche Nachricht-----
Von: pam-list-bounces at redhat.com [mailto:pam-list-bounces at redhat.com] Im Auftrag von Dylan Martin
Gesendet: Dienstag, 12. März 2013 20:22
An: Pluggable Authentication Modules
Betreff: Re: pam modules and setuid actions
You have a cache file that you can open as root, but not using su or sudo or your suid binary? Is that right? That's weird. You're not operating in a filesystem that's mounted nosuid, by any chance?
The only problem I can see with your approach is that suid is kindof all-or-nothing. If your binary does anything before it operates on the cache file, it will also be root until you can well-and-truly drop root privileges after dealing with the cache file.
An alternative might be to make your binary suid some-other-user. So, say the cache file belongs to a user named cacheface and only cacheface can read or write to that file. Your cache-editing binary could be suid cacheface.
You can make a binary who's only job is interacting with the cache, and have your main program call that suid binary. (that's how a lot of shadow password stuff works)
You could make a server that opens the cache (or keeps in in memory) and you log to it instead of to the remote host.
You could use syslog with remote logging. (probably totally misses the point)
You could stop eating so much fatty food, call your mother from time to time and share that recipe for cold fusion you've been hiding...
;-)
Yar!
-Dylan
On Tue, Mar 12, 2013 at 11:14 AM, Seven Reeds <seven.reeds at gmail.com> wrote:
> Hi,
>
> I am very close to finishing a pam module that will log specific user
> session activities to a database. There could be situations though in
> which the primary, remote DB is unavailable so I want to create a
> local "cache" of loggable events. Once remote DB access is regained I
> will upload the cache records and be very happy. There is an issue
> though.
>
> I want the cache to live in protected space. I would like to open the
> cache as "root" or some other dedicated user. I do not want the
> general public to inspect or edit the cache. I have just tried
> wrapping the cache "open" in setuid calls but that has not worked. I
> am using "su" as my testing tool but even though the "su" executable
> is setuid by default the open section fails.
>
> Is there a general PAM related solution to this?
>
> thanks
> Seven
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
_______________________________________________
Pam-list mailing list
Pam-list at redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
|Sender:pam-list-bounces at redhat.com|
|Recipients:office at thinktank.at|
More information about the Pam-list
mailing list