Re: shall a pam-enabled application be setuid root to be able to pam_authenticate system users ?

["Ludvig Ericson" <ludvig ericson gmail com>]

> From: Sebastien Cabaniols <sebastien cabaniols hp com>
> To: pam-list redhat com
> Date: Thu, 15 Mar 2007 15:07:20 +0100
> Subject: shall a pam-enabled application be setuid root to be able to pam_authenticate system users ?
> Hello list,
>
> I am quite new to pam and I have currently managed to integrate pam to a short
> hello world application but I don't understand if my application has to run
> as root or not:
>
> I have defined a /etc/pam.d/test which contains the following:
>
> auth    required        pam_unix_auth.so
> account required        pam_unix_acct.so
>
> My application will start after pam_authenticate succeds (I am simply using
> the standard misc_conv from pam_misc.)
>
> If I am running my application on behalf of the non-priviledged user 'seb',
> then I can only pam_authenticate the user 'seb'. To be able to authenticate
> other users, I have to run the process as root or setuid or sudo.
>
> How can an application (such as a webservice) run on behalf of an
> unpriviledged user and still refuse to run if you can't provide a valid
> user/password on the linux system ?
>
> Many thanks in advance for any help.

As far as I know, no, you don't. I've run things as my own user and
still been able to authenticate properly. It might have something to
do with your settings for that service; try to assume another
service's identity and authenticate as that instead, and perhaps just
look at other services' configuration files.

Ludvig Ericson