FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 11-20-2007, 04:07 PM
Eric Cooper
 
Default how should a daemon drop privileges in a PAM-compatible way?

I wrote a daemon that is started from an init-script as root, and then
uses setuid and setgid to drop to a less-privileged system user and
group.

A user discovered that the program breaks when he uses the
libpam-tmpdir module, because TMPDIR doesn't get changed to the
/tmp/user/NNN directory, so the daemon tries, unsuccessfully, to
create files in /tmp.

What is the correct way to handle this?

I'm not very familiar with PAM, but I presume there might be other PAM
modules out there that would cause similar breakage; I don't want my
program to have to know about them all.

I can't use an su wrapper, because the daemon needs to do some
privileged things initially. Is there a high level function to
"change userid, groupid and do the related PAM things" that I can use,
or example code I can use? Thanks for any pointers.

--
Eric Cooper e c c @ c m u . e d u


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 11-20-2007, 04:32 PM
Peter Palfrader
 
Default how should a daemon drop privileges in a PAM-compatible way?

On Tue, 20 Nov 2007, Eric Cooper wrote:

> I wrote a daemon that is started from an init-script as root, and then
> uses setuid and setgid to drop to a less-privileged system user and
> group.
>
> A user discovered that the program breaks when he uses the
> libpam-tmpdir module, because TMPDIR doesn't get changed to the
> /tmp/user/NNN directory, so the daemon tries, unsuccessfully, to
> create files in /tmp.
>
> What is the correct way to handle this?

I'm inclined to argue that there's nothing you should do about that, at
least not anything with pam. If it's easily possible don't do
tempfiles, but you can't start working around every broken setup out
there.

--
| .'`. ** Debian GNU/Linux **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `- http://www.debian.org/


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 11-20-2007, 05:29 PM
Steve Langasek
 
Default how should a daemon drop privileges in a PAM-compatible way?

On Tue, Nov 20, 2007 at 12:07:10PM -0500, Eric Cooper wrote:
> I wrote a daemon that is started from an init-script as root, and then
> uses setuid and setgid to drop to a less-privileged system user and
> group.

> A user discovered that the program breaks when he uses the
> libpam-tmpdir module, because TMPDIR doesn't get changed to the
> /tmp/user/NNN directory, so the daemon tries, unsuccessfully, to
> create files in /tmp.

> What is the correct way to handle this?

TMPDIR is an environment variable; PAM modules are not allowed to touch env
vars directly, you need to call pam_getenvlist() after pam_open_session()
and iterate through the provided values, pushing them to the process
environment for the per-user session process.

> I'm not very familiar with PAM, but I presume there might be other PAM
> modules out there that would cause similar breakage; I don't want my
> program to have to know about them all.

Yes, such as pam_env and pam_krb5.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 11-20-2007, 06:32 PM
Roger Leigh
 
Default how should a daemon drop privileges in a PAM-compatible way?

Eric Cooper <ecc@cmu.edu> writes:

> I wrote a daemon that is started from an init-script as root, and then
> uses setuid and setgid to drop to a less-privileged system user and
> group.
>
> A user discovered that the program breaks when he uses the
> libpam-tmpdir module, because TMPDIR doesn't get changed to the
> /tmp/user/NNN directory, so the daemon tries, unsuccessfully, to
> create files in /tmp.
>
> What is the correct way to handle this?
>
> I'm not very familiar with PAM, but I presume there might be other PAM
> modules out there that would cause similar breakage; I don't want my
> program to have to know about them all.
>
> I can't use an su wrapper, because the daemon needs to do some
> privileged things initially. Is there a high level function to
> "change userid, groupid and do the related PAM things" that I can use,
> or example code I can use? Thanks for any pointers.

I came across the same problem when writing schroot, which is a
setuid-root program which uses PAM for authentication prior to doing
some setup as root and then dropping root privs.

My solution was to use two processes, one running as root for PAM
tasks, which forks a child process to do the unprivileged stuff, i.e.

pam_init() and setup
...
pam_open_session()
root_setup_tasks()
int pid = fork()
if (pid == 0) {
} else {
wait_on_child
pam_close_session()
}
pam cleanup

I can't see a better way, because a PAM module at any point might need
root privs, even during cleanup. To see how schroot does this, check
out the git repo:

% git clone git://git.debian.org/git/buildd-tools/schroot.git

and see sbuild/sbuild-(auth|session).(cc|h). The stuff relevant to
the question is in the session code; the auth stuff is an
exception-safe C++ PAM wrapper.


Regards,
Roger
--
.'`. Roger Leigh
: :' : Debian GNU/Linux http://people.debian.org/~rleigh/
`. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/
`- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
 

Thread Tools




All times are GMT. The time now is 02:14 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org