pam_exec.so with setuid root binary
Christoph Pleger
christoph.pleger at cs.uni-dortmund.de
Mon Nov 26 10:19:45 UTC 2018
Hello,
On 2018-11-15 17:16, Christoph Pleger wrote:
> Hello,
>
> On 2018-11-13 16:21, Christoph Pleger wrote:
>
>> I am using pam_exec.so with a setuid and setgid root binary because my
>> binary calls other programs (like lvcreate, mkfs on the new logical
>> volume and chown on the mountpoint of mounted logical volume) that
>> need root access to be successful and because the authenticating
>> service itself does not run as root.
>>
>> But I was not successful so far to implement the desired features,
>> because at least lvcreate needs the real uid (not only the effective
>> uid) be 0 to perform its task and because, though my binary changes
>> the real ids successfully with setuid() and setgid() when called from
>> the command line, this does not work with pam_exec, so that the real
>> ids stay to be those from the authenticating service. In both cases,
>> at program start, that is before setuid() and setgid(), the real ids
>>
>> What can I do to solve that? It surprises me that one case does work
>> and the other does not, although at program start, that is before
>> setuid() and setgid(), the real ids are those of the authenticating
>> service and effective and saved ids are 0 in the two cases.
>
> I did not manage to make setuid(0) work successfully in my pam_exec
> program, but setreuid(0, -1); changes the real uid to 0.
After being successful to set the real UID with setreuid() instead of
setuid(), I still had permission problems with lvcreate. I solved these
by using LVM-DBus-Library calls instead, creating a filesystem with mkfs
was no problem. But now I even get an "Operation not permitted" when
trying a simple chown on a directory - so I want to ask again, though
less specific the before: What makes programs called by pam_exec so
different from programs called from the command line, especially
regarding the use and the effects of setuid/setreuid-functions?
Regards
Christoph
More information about the Pam-list
mailing list