You have a cache file that you can open as root, but not using su or sudo or your suid binary? Is that right? That's weird. You're not operating in a filesystem that's mounted nosuid, by any chance? The only problem I can see with your approach is that suid is kindof all-or-nothing. If your binary does anything before it operates on the cache file, it will also be root until you can well-and-truly drop root privileges after dealing with the cache file. An alternative might be to make your binary suid some-other-user. So, say the cache file belongs to a user named cacheface and only cacheface can read or write to that file. Your cache-editing binary could be suid cacheface. You can make a binary who's only job is interacting with the cache, and have your main program call that suid binary. (that's how a lot of shadow password stuff works) You could make a server that opens the cache (or keeps in in memory) and you log to it instead of to the remote host. You could use syslog with remote logging. (probably totally misses the point) You could stop eating so much fatty food, call your mother from time to time and share that recipe for cold fusion you've been hiding... ;-) Yar! -Dylan On Tue, Mar 12, 2013 at 11:14 AM, Seven Reeds <seven.reeds@xxxxxxxxx> wrote: > Hi, > > I am very close to finishing a pam module that will log specific user > session activities to a database. There could be situations though in > which the primary, remote DB is unavailable so I want to create a > local "cache" of loggable events. Once remote DB access is regained I > will upload the cache records and be very happy. There is an issue > though. > > I want the cache to live in protected space. I would like to open the > cache as "root" or some other dedicated user. I do not want the > general public to inspect or edit the cache. I have just tried > wrapping the cache "open" in setuid calls but that has not worked. I > am using "su" as my testing tool but even though the "su" executable > is setuid by default the open section fails. > > Is there a general PAM related solution to this? > > thanks > Seven > > _______________________________________________ > Pam-list mailing list > Pam-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/pam-list _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list