Re: [PATCH] pam_exec questions and possible patch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Mar 21, Aaron Cohen wrote:

> I'm currently trying to use pam_exec to call a script to synchronize
> my home directories with a central server and have come across a
> couple of issues.
> 
> Firstly, does pam_exec make any sense outside of the "session" section
> of pam.conf? 

Yes, it makes. Only look at the example section of the manual page.

> It seems slightly hairy to me, because for instance if
> it's in the auth section a user could cause a program to be executed
> by another user by only unsuccessfully attempting to log in as that
> user.

Only an admin can configure this module, so it depends on what he
allows and what not.

> Secondly, is there any way to distinguish in the exec'ed program that
> the session is being opened or closed?  I've finally created a simple
> patch that defines a PAM_SESSION_ACTION environment variable in the
> executed subprocess so that my script can do the correct actions.
> 
> Thirdly, does the seteuid option actually work correctly? 

Yes, it does. Please also look at the example section of the manual
page.

> It seems to
> me that it simply sets the effective user id to whatever the effective
> user id already was.

Correct, it sets the effective user id to the one of the calling
application.

> My patch changes this by setting the effective
> userid of the subprocess to the user id of the user who's session is
> being created if this option is specified.

This change breaks all available configurations, especially the example
from the manual page.
Please introduce new options, not change existing one.

   Thorsten

-- 
Thorsten Kukuk, Project Manager Base System, Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux