Hi, I’m currently trying to *properly* port a utility¹ that uses the BSD auth call setusercontext(3)² to switch to a user account. The function³ bundles quite an amount of things (this utility asks it for all except setlogin(2)⁴ because it does not detach from the parent session): • set ulimits configured for the target user • set priority (niceness) if configured • set umask • set the group vector and primary group (setgid(2)) • [not here] setlogin(2) • switches to the user (seteuid and setuid) • initialises the user’s environment and $PATH It specifically does not change the directory, though (the application does that beforehand, if possible). The application in question is somewhat like cron or su. It’s called nightly from cron(8) running as root, forking for every user account (iterating over getpwent(3) in a loop) that qualifies (does not have a nomail file but has a calendar file); in the child process, it then switches to the user (as shown above), checks for nomail/calendar file existence if not possible beforehand (e.g. home directory automounted or (NFS) not accessible to root), then does its thing (forking cpp(1) and sendmail(8) in the middle), then exits. “Doing its thing” notably does NOT involve forking or exiting something else, just calling its “main” function cal(), so here it is unlike su(8) and cron(8). I found http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_ADG.html but it talks so much about authentification, which there is none here (it’s intended so that root can switch to any user), while not telling me enough to do the actual switching. Or at least not in a comprehen‐ sible (to me) way. It talks about sessions and credentials, but so delightfully vague I cannot make heads or tails out of it. Can anyone please help me in porting this? Maybe someone already has made a drop-in replacement for setusercontext(3), even? I’ve not found one in the usual places (portable OpenBSD software; OpenSSH’s account management is much more complex and designed differently). I see https://sources.debian.org/src/cron/3.0pl1-137/debian/patches/features/PAM-support-for-jobs.patch/ but it has no explanation, and I’m not sure how much of this either is applicable to or sufficient for my scenario. (Also unsure if it’s indeed possible to drop in or whether I need to call PAM again before exitting, which, unless I can use atexit, is going to be tricky to impossible.) ① https://github.com/MirBSD/calendar/ ② http://www.mirbsd.org/man3/setusercontext ③ http://www.mirbsd.org/cvs.cgi/src/lib/libc/gen/login_cap.c?rev=HEAD near line 600 ③ http://www.mirbsd.org/man2/setlogin Thanks in advance, //mirabilos -- I believe no one can invent an algorithm. One just happens to hit upon it when God enlightens him. Or only God invents algorithms, we merely copy them. If you don't believe in God, just consider God as Nature if you won't deny existence. -- Coywolf Qi Hunt _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://listman.redhat.com/mailman/listinfo/pam-list
