Re: pam modules and setuid actions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Wed, 2013-03-13 at 11:02 -0500, Seven Reeds wrote: 
> Sorry, I was not clear.  I'll try again.
> I have written a PAM shared object (.so) module.  It should log PAM
> session related info to a remote database at session start and stop.
> In the rare times when there are network issues I would like the
> module to log to a local cache file.  When the network is
> reestablished I want to send all the cached records to the remote DB.
> I want the cache file to exist in a protected part of the file system.
>  It should be owned by root or some other user.  It should not be
> generally accessible by the "public".
> Since this is a shared object module I do not seem to control the
> "setuid" nature of the instigating program like "su", or "ssh".  I am
> doing my development on a somewhat old Ubuntu machine.  As it happens
> "su" is installed as setuid-root and ssh is not setuid at all.  So I
> was wondering if PAM had some magic to handle this situation?
> Right now I think that my best bet is to write my own setuid
> executable and use "pam_exec".
> all the best

PAM session modules (that is the modules configured in the session stack
and called through the pam_sm_open_session() and pam_sm_close_session())
expect to be called with effective uid == 0. So there should be no need
to add any setuid helper for this functionality. Of course there might
be non-compliant applications that call the session modules with regular
user id but other modules will be broken for them as well.
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb

Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux