[PATCH] pam_exec questions and possible patch

[Thorsten Kukuk]

On Mon, Mar 26, Aaron Cohen wrote:

> >No, it is not pointless as your own tests shows and it has a huge
> >difference, if you are doing a fork()/exec*() call.
> >After exec*() on Linux the effective uid of the new process is the
> >old real uid.
> 
> This is entirely false.  Linux does nothing to change either ruid or
> euid on exec.

Sorry, I should have read first my notes. At first, POSIX defines
some cases where ruid/euid could be changed on exec, but not sure
if this is supported by Linux at all. I don't think so.

Replace "Linux" with "make". The culprint where some applications
like make, which seem to depend on the real UID and not on the
effective one.
The simpelst solution to see this is to setup a NIS server and
use the example from the manual page. You will see a big difference
if you use "seteuid" or not. If you don't specify "seteuid", 
everything in the Makefile will be executed with the effective uid
set to the ruid.

This option was not added for fun, but for problems found by real
world usage of this module.

  Thorsten

-- 
Thorsten Kukuk, Project Manager Base System, Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)