how should a daemon drop privileges in a PAM-compatible way?
I wrote a daemon that is started from an init-script as root, and then
uses setuid and setgid to drop to a less-privileged system user and
A user discovered that the program breaks when he uses the
libpam-tmpdir module, because TMPDIR doesn't get changed to the
/tmp/user/NNN directory, so the daemon tries, unsuccessfully, to
create files in /tmp.
What is the correct way to handle this?
I'm not very familiar with PAM, but I presume there might be other PAM
modules out there that would cause similar breakage; I don't want my
program to have to know about them all.
I can't use an su wrapper, because the daemon needs to do some
privileged things initially. Is there a high level function to
"change userid, groupid and do the related PAM things" that I can use,
or example code I can use? Thanks for any pointers.
Eric Cooper e c c @ c m u . e d u