Re: shall a pam-enabled application be setuid root to be able to pam_authenticate system users ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Le Jeudi 15 Mars 2007 19:13, Ludvig Ericson a écrit :
>> From: Sebastien Cabaniols <sebastien.cabaniols@xxxxxx>
>> To: pam-list@xxxxxxxxxx
>> Date: Thu, 15 Mar 2007 15:07:20 +0100
>> Subject: shall a pam-enabled application be setuid root to be able to
>> pam_authenticate system users ? Hello list,
>>
>> I am quite new to pam and I have currently managed to integrate pam to a
>> short hello world application but I don't understand if my application has
>> to run as root or not:
>>
>> I have defined a /etc/pam.d/test which contains the following:
>>
>> auth    required        pam_unix_auth.so
>> account required        pam_unix_acct.so
>>
>> My application will start after pam_authenticate succeds (I am simply
>> using the standard misc_conv from pam_misc.)
>>
>> If I am running my application on behalf of the non-priviledged user
>> 'seb', then I can only pam_authenticate the user 'seb'. To be able to
>> authenticate other users, I have to run the process as root or setuid or
>> sudo.
>>
>> How can an application (such as a webservice) run on behalf of an
>> unpriviledged user and still refuse to run if you can't provide a valid
>> user/password on the linux system ?
>>
>> Many thanks in advance for any help.
>
>As far as I know, no, you don't. I've run things as my own user and
>still been able to authenticate properly. It might have something to
>do with your settings for that service; try to assume another
>service's identity and authenticate as that instead, and perhaps just
>look at other services' configuration files.
>
I am surprised because I have checked (on different distros) a few basic 
programs pam-linked and they all are setuid or run as root: login/sshd for 
example.
The only exception is the xlock program which uses a special binary to 
do /etc/password authentication...

>Ludvig Ericson
>
>_______________________________________________
>Pam-list mailing list
>Pam-list@xxxxxxxxxx
>https://www.redhat.com/mailman/listinfo/pam-list

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux