pam_exec.so with setuid root binary
Christoph Pleger
christoph.pleger at cs.uni-dortmund.de
Thu Nov 15 16:16:13 UTC 2018
Hello,
On 2018-11-13 16:21, Christoph Pleger wrote:
> I am using pam_exec.so with a setuid and setgid root binary because my
> binary calls other programs (like lvcreate, mkfs on the new logical
> volume and chown on the mountpoint of mounted logical volume) that
> need root access to be successful and because the authenticating
> service itself does not run as root.
>
> But I was not successful so far to implement the desired features,
> because at least lvcreate needs the real uid (not only the effective
> uid) be 0 to perform its task and because, though my binary changes
> the real ids successfully with setuid() and setgid() when called from
> the command line, this does not work with pam_exec, so that the real
> ids stay to be those from the authenticating service. In both cases,
> at program start, that is before setuid() and setgid(), the real ids
>
> What can I do to solve that? It surprises me that one case does work
> and the other does not, although at program start, that is before
> setuid() and setgid(), the real ids are those of the authenticating
> service and effective and saved ids are 0 in the two cases.
I did not manage to make setuid(0) work successfully in my pam_exec
program, but setreuid(0, -1); changes the real uid to 0.
Regards
Christoph
More information about the Pam-list
mailing list