Re: [PATCH] pam_exec questions and possible patch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 3/26/07, Thorsten Kukuk <kukuk@xxxxxxx> wrote:

On Mon, Mar 26, Aaron Cohen wrote:

> >No, it is not pointless as your own tests shows and it has a huge
> >difference, if you are doing a fork()/exec*() call.
> >After exec*() on Linux the effective uid of the new process is the
> >old real uid.
>
> This is entirely false.  Linux does nothing to change either ruid or
> euid on exec.

Sorry, I should have read first my notes. At first, POSIX defines
some cases where ruid/euid could be changed on exec, but not sure
if this is supported by Linux at all. I don't think so.

Replace "Linux" with "make". The culprint where some applications
like make, which seem to depend on the real UID and not on the
effective one.
The simpelst solution to see this is to setup a NIS server and
use the example from the manual page. You will see a big difference
if you use "seteuid" or not. If you don't specify "seteuid",
everything in the Makefile will be executed with the effective uid
set to the ruid.

This option was not added for fun, but for problems found by real
world usage of this module.

  Thorsten



OK, I'm aware of at least oracle that seems to pay attention to the
real user id rather than to the effective one as well so that make
sense.  It seems weird to me that an option called seteuid is more
concerned with setting the Ruid than the Euid though.

My most recent patch actually left around the seteuid option for
compatibility.  I think run_as_user=root would also do the same thing
in a more clear manner though (assuming the calling process has euid
of root as it will in most cases).  Also, run_as_user with no user
specified is useful to me as an admin in securely forcing my users to
run things at login (synchronize their home directories with a backup
server in this case).

I do actually need the environment variable portion of my patch for my
scheme to work (or some equivalent) and it seems useful to me in
general.  What do you think?

Aaron

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux