pam modules and setuid actions
Tomas Mraz
tmraz at redhat.com
Wed Mar 13 16:39:33 UTC 2013
On Wed, 2013-03-13 at 11:02 -0500, Seven Reeds wrote:
> Sorry, I was not clear. I'll try again.
>
> I have written a PAM shared object (.so) module. It should log PAM
> session related info to a remote database at session start and stop.
> In the rare times when there are network issues I would like the
> module to log to a local cache file. When the network is
> reestablished I want to send all the cached records to the remote DB.
>
> I want the cache file to exist in a protected part of the file system.
> It should be owned by root or some other user. It should not be
> generally accessible by the "public".
>
> Since this is a shared object module I do not seem to control the
> "setuid" nature of the instigating program like "su", or "ssh". I am
> doing my development on a somewhat old Ubuntu machine. As it happens
> "su" is installed as setuid-root and ssh is not setuid at all. So I
> was wondering if PAM had some magic to handle this situation?
>
> Right now I think that my best bet is to write my own setuid
> executable and use "pam_exec".
>
> all the best
PAM session modules (that is the modules configured in the session stack
and called through the pam_sm_open_session() and pam_sm_close_session())
expect to be called with effective uid == 0. So there should be no need
to add any setuid helper for this functionality. Of course there might
be non-compliant applications that call the session modules with regular
user id but other modules will be broken for them as well.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
More information about the Pam-list
mailing list