<quote sender="Seth Arnold">
> On Thu, Jun 19, 2003 at 09:31:12AM +0800, Eugene Teo wrote:
> > No one has any idea?
>
> Ah, sorry, I meant to reply. :)
:-)
> You've got zero userspace access in the kernel. And, I'm not sure you
> really need libpam access in the kernel.
via usermode helper i hope.
> > > I am trying to write a vfs on top of my existing fs to do
> > > file authentication. that means, let's assume that all users
> > > can view files, but if he/she wants to use it, they have to
> > > authenticate themselves first before they can use it.
>
> I completely fail to understand this. :)
>
> Are you intending to add something like posix 1.e draft ACLs?
I am not sure abt draft ACLs but in my future implementation (if i got
it right), i would like to have an ACL or a list of program that the users
can run by default.
>
> > > I am thinking of using libpam as a wrapper in the kernel
> > > level, so that i can change the authentication scheme if
> > > needed.
>
> The easiest way to do that is have all authentication checking
> handled in userspace. A program such as /bin/login, or /bin/su, or
> /usr/bin/sudo, that uses PAM, is an extremely flexible approach to
> handling authentication. I guess the downside is that it is easiest ro
> use PAM to change user, group, groups, and rlimits. Changing per-process
> access to files is a little more work, however the "bind mounts" and
> "per process namespaces" of newer kernels give you -some- degree of
> freedom here.
Hmm, my objective is to let users login to my box, and run any arbitrary
programs (with EXEC bit on). But before they do so, they have to do a
pre-execution process, and that is to authenticate themselves. I would
like to use libpam because I would like to authenticate it via several
methods, and libpam can provide me with this functionality.
example:
user$ ls
password: ******
total 72K
4.0K -rw------- 1 amnesia amnesia 620 Sep 13 2001 Config.in
4.0K -rw------- 1 amnesia amnesia 527 Dec 30 2000 Makefile
12K -rw------- 1 amnesia amnesia 11K Jun 13 22:51 evdev.c
12K -rw------- 1 amnesia amnesia 9.8K Jun 13 22:51 input.c
16K -rw------- 1 amnesia amnesia 15K Jun 13 22:51 joydev.c
8.0K -rw------- 1 amnesia amnesia 7.7K Jun 13 22:51 keybdev.c
16K -rw------- 1 amnesia amnesia 13K Jun 13 22:51 mousedev.c
user$ rm Makefile
password: ***
Invalid password. Denied.
user$
so basically i would like to intercept any program that can execute
in the kernel-level, and then call a helper program in the userspace
to prompt the user "Hey, tell me who u r first!" before they can run
it.
Can call_usermodehelper do this? LDD doesn't give any example. Is it
possible for me to write a userspace helper program that interacts
with libpam (like su/login), and then inform my lkm/vfs module/etc
in kernel level that, hey this user is my friend, and continue
execution?
Many thanks!
--
Eugene TEO @ Linux Users Group, Singapore <eugeneteo@lugs.org.sg>
GPG FP: D851 4574 E357 469C D308 A01E 7321 A38A 14A0 DDE5
main(i){putchar(182623909>>(i-1)*5&31|!!(i<7)<<6)&&main(++i);}
--
Kernelnewbies: Help each other learn about the Linux kernel.
Archive: http://mail.nl.linux.org/kernelnewbies/
FAQ: http://kernelnewbies.org/faq/
