After reading some more information on pam and finding nothing about when and where to drop privileges. This is properly the closest to something useful I could find on this topic. The example under would not work unless privileges was drooped after a pam_session_open. Also the last part implies that you will need root privileges. >From http://wwws.sun.com/software/solaris/pam/man_pam.pdf: page 14 (or 16 if you use google). "In many instances, the pam_open_session( ) and pam_close_session( ) calls may be made by different processes. For example, in UNIX the login process opens a session, while the init process closes the session. In this case, UTMP/WTMP entries may be used to link the call to pam_close_session( ) with an earlier call to pam_open_session( ). This is possible because UTMP/WTMP entries are uniquely identified by a combination of attributes, including the user login name and device name, which are accessible through the PAM handle, pamh. The call to pam_open_session( ) should precede UTMP/WTMP entry management and the call to pam_close_session( ) should follow UTMP/WTMP exit management." /Troels. On Mon, 2003-07-07 at 18:45, Steve Langasek wrote: > On Sun, Jul 06, 2003 at 08:35:38PM -0800, Ethan Benson wrote: > > On Sun, Jul 06, 2003 at 05:54:58PM -0500, Steve Langasek wrote: > > > > Convince the OpenSSH maintainers that the current behavior is incorrect, > > > and get them to change it. > > > who says its incorrect? not the pam docs. pam_session running as > > root has always been an assumption. > > I say it's incorrect; because if it's not incorrect, it's nevertheless > all but useless. > > pam_mkhomedir: create user homedir upon session start. Requires > write-access to a directory that /should/ be root-only writeable. > > pam_radius: logs connection information to a RADIUS accounting server. > Requires access to the RADIUS shared secret. Root-only. > > pam_console: grant locally logged-in users access to certain devices. > Requires root access to change file permissions. > > pam_lastlog: writes to /var/log/lastlog. Root only. > > And strangely, I can't find such a module at the moment; but another > obvious application for open/close session is utmp/wtmp logging. > > So as long as you only care about trivial modules like pam_mail and > pam_env, sure; running pam_session without privileges works just fine. > > > its less convenient, but also much safer, always a tradeoff. > > So don't run untrusted PAM modules. This choice should be made by the > administrator, not by the programmer. _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
