This doesn't really look like a PAM question, exactly; although PAM and
whatever calls it will determine which UID and GID your module starts
executing as.
gpg is a bad example; it's much more paranoid about the (E)UID and
(E)GID it runs under. I don't think sudo will go quite far enough. Check
the command you're trying to run manually; run it as root, as a "full"
regular user, and as a restricted user like nobody. You'll probably have
to do some additional (E)UID/(E)GID tweaking to get your module running
as the correct UID/GID for what you want to accomplish.
-kgd
ronald de la cruz wrote:
thanks for the reply...but my only problem is adding the 'sudo' in popen.
if i run it without sudo, there's no problem...
my main concern is how the PAM module will accept that sudo.
The second paragraph of my reply still applies; gpg is very particular
about the UID, EUID, GID, and EGID it finds itself running under. sudo
doesn't quite set everything perfectly IIRC - you *will* need to
explicitly set the UID, EUID, GID, and/or EGID (one or more, depending
on what's not set correctly for what you want to accomplish).
There's nothing special about PAM that I know of that limits sudo in any
way; about the only thing I can think of is trouble determining which
user is apparently *calling* sudo so you can add the appropriate entries
to /etc/sudoers so that your command runs as the correct user.
A better idea of what your module is trying to accomplish would probably
help the PAM gurus on the list give you some more specific advice; my
recommendations come from trying to get gpg to run in a certain manner
from a setuid Perl script. Among other problems I ran into, I found
that sudo did NOT go far enough in setting the EUID to the correct user
for my use of gpg.
-kgd
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list