[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_exec.so with setuid root binary



Hello,

On 2018-11-15 17:16, Christoph Pleger wrote:
Hello,

On 2018-11-13 16:21, Christoph Pleger wrote:

I am using pam_exec.so with a setuid and setgid root binary because my
binary calls other programs (like lvcreate, mkfs on the new logical
volume and chown on the mountpoint of mounted logical volume) that
need root access to be successful and because the authenticating
service itself does not run as root.

But I was not successful so far to implement the desired features,
because at least lvcreate needs the real uid (not only the effective
uid) be 0 to perform its task and because, though my binary changes
the real ids successfully with setuid() and setgid() when called from
the command line, this does not work with pam_exec, so that the real
ids stay to be those from the authenticating service. In both cases,
at program start, that is before setuid() and setgid(),  the real ids

What can I do to solve that? It surprises me that one case does work
and the other does not, although at program start, that is before
setuid() and setgid(), the real ids are those of the authenticating
service and effective and saved ids are 0 in the two cases.

I did not manage to make setuid(0) work successfully in my pam_exec
program, but setreuid(0, -1); changes the real uid to 0.

After being successful to set the real UID with setreuid() instead of setuid(), I still had permission problems with lvcreate. I solved these by using LVM-DBus-Library calls instead, creating a filesystem with mkfs was no problem. But now I even get an "Operation not permitted" when trying a simple chown on a directory - so I want to ask again, though less specific the before: What makes programs called by pam_exec so different from programs called from the command line, especially regarding the use and the effects of setuid/setreuid-functions?

Regards
  Christoph


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]