On Mon, Mar 26, Aaron Cohen wrote: > The _only_ reason anything changes in my example is because the euid > of the calling process happens to be root and the setuid function has > special behaviour in that case. Setting the real user id is > practically pointless though as all security checks are made against > the euid. No, it is not pointless as your own tests shows and it has a huge difference, if you are doing a fork()/exec*() call. After exec*() on Linux the effective uid of the new process is the old real uid. > I am thinking about making the run_as_user option set both real and > effective user ids more explicity. I still don't see which effect "run_as_user" should have. The standard permissions of the new process in this case are the one of the user. > I think one problem we might be having is that you intend seteuid to > give the exec'ed program more permissions than it would normally get, Without option, pam_exec has less permissions than the calling application. With "seteuid", pam_exec has the same permissions as the calling application. So yes, for some configurations you need more permissions than the calling user has, and for exact this problem the "seteuid" option is. > and I'm intending the exec'ed program to have fewer permissions than > it would normally get. It normally get's the permissions of the calling User, not the one of the calling application. I don't see how you can remove even more permissions? If you restrict the user in more than he can do without pam_exec, he will do it without pam_exec. > I still don't think that the seteuid works the way you intend it to though. You proved it with your example, I can prove it with the example from the manual page. It works as designed and documented. Thorsten -- Thorsten Kukuk, Project Manager Base System, Release Manager SLES SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg GF: Markus Rex, HRB 16746 (AG Nuernberg) _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
