Eric Cooper <ecc@cmu.edu> writes:
> I wrote a daemon that is started from an init-script as root, and then
> uses setuid and setgid to drop to a less-privileged system user and
> group.
>
> A user discovered that the program breaks when he uses the
> libpam-tmpdir module, because TMPDIR doesn't get changed to the
> /tmp/user/NNN directory, so the daemon tries, unsuccessfully, to
> create files in /tmp.
>
> What is the correct way to handle this?
>
> I'm not very familiar with PAM, but I presume there might be other PAM
> modules out there that would cause similar breakage; I don't want my
> program to have to know about them all.
>
> I can't use an su wrapper, because the daemon needs to do some
> privileged things initially. Is there a high level function to
> "change userid, groupid and do the related PAM things" that I can use,
> or example code I can use? Thanks for any pointers.
I came across the same problem when writing schroot, which is a
setuid-root program which uses PAM for authentication prior to doing
some setup as root and then dropping root privs.
My solution was to use two processes, one running as root for PAM
tasks, which forks a child process to do the unprivileged stuff, i.e.
pam_init() and setup
...
pam_open_session()
root_setup_tasks()
int pid = fork()
if (pid == 0) {
} else {
wait_on_child
pam_close_session()
}
pam cleanup
I can't see a better way, because a PAM module at any point might need
root privs, even during cleanup. To see how schroot does this, check
out the git repo:
% git clone git://git.debian.org/git/buildd-tools/schroot.git
and see sbuild/sbuild-(auth|session).(cc|h). The stuff relevant to
the question is in the session code; the auth stuff is an
exception-safe C++ PAM wrapper.
Regards,
Roger
--
.''`. Roger Leigh
: :' : Debian GNU/Linux http://people.debian.org/~rleigh/
`. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/
`- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
Attachment:
pgp3vhXWlvbzR.pgp
Description: PGP signature