[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

how should a daemon drop privileges in a PAM-compatible way?

I wrote a daemon that is started from an init-script as root, and then
uses setuid and setgid to drop to a less-privileged system user and

A user discovered that the program breaks when he uses the
libpam-tmpdir module, because TMPDIR doesn't get changed to the
/tmp/user/NNN directory, so the daemon tries, unsuccessfully, to
create files in /tmp.

What is the correct way to handle this?

I'm not very familiar with PAM, but I presume there might be other PAM
modules out there that would cause similar breakage; I don't want my
program to have to know about them all.

I can't use an su wrapper, because the daemon needs to do some
privileged things initially.  Is there a high level function to
"change userid, groupid and do the related PAM things" that I can use,
or example code I can use?  Thanks for any pointers.

Eric Cooper             e c c @ c m u . e d u

Reply to: