[PATCH] pam_exec questions and possible patch

[Thorsten Kukuk]

On Mon, Mar 26, Aaron Cohen wrote:

> The _only_ reason anything changes in my example is because the euid
> of the calling process happens to be root and the setuid function has
> special behaviour in that case.  Setting the real user id is
> practically pointless though as all security checks are made against
> the euid.

No, it is not pointless as your own tests shows and it has a huge
difference, if you are doing a fork()/exec*() call.
After exec*() on Linux the effective uid of the new process is the 
old real uid.

> I am thinking about making the run_as_user option set both real and
> effective user ids more explicity.

I still don't see which effect "run_as_user" should have. The standard
permissions of the new process in this case are the one of the user.

> I think one problem we might be having is that you intend seteuid to
> give the exec'ed program more permissions than it would normally get,

Without option, pam_exec has less permissions than the calling application.
With "seteuid", pam_exec has the same permissions as the calling
application.
So yes, for some configurations you need more permissions than the
calling user has, and for exact this problem the "seteuid" option is.


> and I'm intending the exec'ed program to have fewer permissions than
> it would normally get.

It normally get's the permissions of the calling User, not the one of
the calling application. I don't see how you can remove even more
permissions?
If you restrict the user in more than he can do without pam_exec, he
will do it without pam_exec.

> I still don't think that the seteuid works the way you intend it to though.

You proved it with your example, I can prove it with the example from
the manual page. It works as designed and documented.

  Thorsten

-- 
Thorsten Kukuk, Project Manager Base System, Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)