Re: pam modules and setuid actions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


You have a cache file that you can open as root, but not using su or
sudo or your suid binary?  Is that right?  That's weird.  You're not
operating in a filesystem that's mounted nosuid, by any chance?

The only problem I can see with your approach is that suid is kindof
all-or-nothing.  If your binary does anything before it operates on
the cache file, it will also be root until you can well-and-truly drop
root privileges after dealing with the cache file.

An alternative might be to make your binary suid some-other-user.  So,
say the cache file belongs to a user named cacheface and only
cacheface can read or write to that file.  Your cache-editing binary
could be suid cacheface.

You can make a binary who's only job is interacting with the cache,
and have your main program call that suid binary.  (that's how a lot
of shadow password stuff works)

You could make a server that opens the cache (or keeps in in memory)
and you log to it instead of to the remote host.

You could use syslog with remote logging. (probably totally misses the point)

You could stop eating so much fatty food, call your mother from time
to time and share that recipe for cold fusion you've been hiding...


On Tue, Mar 12, 2013 at 11:14 AM, Seven Reeds <seven.reeds@xxxxxxxxx> wrote:
> Hi,
> I am very close to finishing a pam module that will log specific user
> session activities to a database.  There could be situations though in
> which the primary, remote DB is unavailable so I want to create a
> local "cache" of loggable events.  Once remote DB access is regained I
> will upload the cache records and be very happy.  There is an issue
> though.
> I want the cache to live in protected space.  I would like to open the
> cache as "root" or some other dedicated user.  I do not want the
> general public to inspect or edit the cache.  I have just tried
> wrapping the cache "open" in setuid calls but that has not worked.  I
> am using "su" as my testing tool but even though the "su" executable
> is setuid by default the open section fails.
> Is there a general PAM related solution to this?
> thanks
> Seven
> _______________________________________________
> Pam-list mailing list
> Pam-list@xxxxxxxxxx

Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux