shall a pam-enabled application be setuid root to be able to pam_authenticate system users ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello list,

I am quite new to pam and I have currently managed to integrate pam to a short 
hello world application but I don't understand if my application has to run 
as root or not:

I have defined a /etc/pam.d/test which contains the following:

auth 	required 	pam_unix_auth.so
account	required	pam_unix_acct.so

My application will start after pam_authenticate succeds (I am simply using 
the standard misc_conv from pam_misc.)

If I am running my application on behalf of the non-priviledged user 'seb', 
then I can only pam_authenticate the user 'seb'. To be able to authenticate 
other users, I have to run the process as root or setuid or sudo.

How can an application (such as a webservice) run on behalf of an 
unpriviledged user and still refuse to run if you can't provide a valid 
user/password on the linux system ?

Many thanks in advance for any help.

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux