how should a daemon drop privileges in a PAM-compatible way?

To: debian-mentors@lists.debian.org
Subject: how should a daemon drop privileges in a PAM-compatible way?
From: Eric Cooper <ecc@cmu.edu>
Date: Sun, 18 Nov 2007 20:53:58 -0500
Message-id: <[🔎] 20071119015357.GA20587@stratocaster.home>
Mail-followup-to: debian-mentors@lists.debian.org

I wrote a daemon that is started from an init-script as root, and then
uses setuid and setgid to drop to a less-privileged user & group.

A user discovered that the program breaks when he uses the
libpam-tmpdir module, because TMPDIR doesn't get changed to the
/tmp/user/NNN directory, so the daemon tries to create files in /tmp
without permission.

So, what is the correct way to do this?  Is there a high level
function to "change userid, groupid and do the related PAM things"
that I can use, or an example program to copy?  Thanks for any pointers.

-- 
Eric Cooper             e c c @ c m u . e d u

Reply to:

Prev by Date: RFS: libcares
Next by Date: Re: RFS: libcares
Previous by thread: Re: RFS: libcares
Next by thread: RFS: rabbit
Index(es):
- Date
- Thread