|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
This doesn't really look like a PAM question, exactly; although PAM and whatever calls it will determine which UID and GID your module starts executing as.gpg is a bad example; it's much more paranoid about the (E)UID and (E)GID it runs under. I don't think sudo will go quite far enough. Check the command you're trying to run manually; run it as root, as a "full" regular user, and as a restricted user like nobody. You'll probably have to do some additional (E)UID/(E)GID tweaking to get your module running as the correct UID/GID for what you want to accomplish.-kgd
ronald de la cruz wrote:
thanks for the reply...but my only problem is adding the 'sudo' in popen. if i run it without sudo, there's no problem... my main concern is how the PAM module will accept that sudo.
The second paragraph of my reply still applies; gpg is very particular about the UID, EUID, GID, and EGID it finds itself running under. sudo doesn't quite set everything perfectly IIRC - you *will* need to explicitly set the UID, EUID, GID, and/or EGID (one or more, depending on what's not set correctly for what you want to accomplish).
There's nothing special about PAM that I know of that limits sudo in any way; about the only thing I can think of is trouble determining which user is apparently *calling* sudo so you can add the appropriate entries to /etc/sudoers so that your command runs as the correct user.
A better idea of what your module is trying to accomplish would probably help the PAM gurus on the list give you some more specific advice; my recommendations come from trying to get gpg to run in a certain manner from a setuid Perl script. Among other problems I ran into, I found that sudo did NOT go far enough in setting the EUID to the correct user for my use of gpg.
-kgd _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list