[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_exec.so with setuid root binary



Hello,

On 2018-11-13 16:21, Christoph Pleger wrote:

I am using pam_exec.so with a setuid and setgid root binary because my
binary calls other programs (like lvcreate, mkfs on the new logical
volume and chown on the mountpoint of mounted logical volume) that
need root access to be successful and because the authenticating
service itself does not run as root.

But I was not successful so far to implement the desired features,
because at least lvcreate needs the real uid (not only the effective
uid) be 0 to perform its task and because, though my binary changes
the real ids successfully with setuid() and setgid() when called from
the command line, this does not work with pam_exec, so that the real
ids stay to be those from the authenticating service. In both cases,
at program start, that is before setuid() and setgid(),  the real ids

What can I do to solve that? It surprises me that one case does work
and the other does not, although at program start, that is before
setuid() and setgid(), the real ids are those of the authenticating
service and effective and saved ids are 0 in the two cases.

I did not manage to make setuid(0) work successfully in my pam_exec program, but setreuid(0, -1); changes the real uid to 0.

Regards
  Christoph


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]