Hello, On 2018-11-13 16:21, Christoph Pleger wrote:
I am using pam_exec.so with a setuid and setgid root binary because my binary calls other programs (like lvcreate, mkfs on the new logical volume and chown on the mountpoint of mounted logical volume) that need root access to be successful and because the authenticating service itself does not run as root. But I was not successful so far to implement the desired features, because at least lvcreate needs the real uid (not only the effective uid) be 0 to perform its task and because, though my binary changes the real ids successfully with setuid() and setgid() when called from the command line, this does not work with pam_exec, so that the real ids stay to be those from the authenticating service. In both cases, at program start, that is before setuid() and setgid(), the real ids What can I do to solve that? It surprises me that one case does work and the other does not, although at program start, that is before setuid() and setgid(), the real ids are those of the authenticating service and effective and saved ids are 0 in the two cases.
I did not manage to make setuid(0) work successfully in my pam_exec program, but setreuid(0, -1); changes the real uid to 0.
Regards Christoph _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list