Beyond any more general questions of whether pam sessions *should* be
run as root, is there an immediate security concern with moving the
pam_open_session (and pam_setcred) stuff to the parent (root) process?
(E.g., via the patch below.)
--
Mike Stone
diff -u -r1.4 auth-pam.c
--- auth-pam.c 25 Jun 2002 00:45:33 -0000 1.4
+++ auth-pam.c 25 Jun 2002 20:33:41 -0000
@@ -286,6 +286,8 @@
pam_retval, PAM_STRERROR(__pamh,
pam_retval));
}
+ if (session_opened)
+ return; /*Be idempotent so we can be called in monitor and
child*/
pam_retval = pam_open_session(__pamh, 0);
if (pam_retval != PAM_SUCCESS)
fatal("PAM session setup failed[%d]: %.200s",
@@ -304,6 +306,8 @@
do_pam_set_conv(&conv);
+ if (init&&creds_set)
+ return; /*be idempotent so we can be called in monitor and
child*/
debug("PAM establishing creds");
pam_retval = pam_setcred(__pamh,
init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED);
diff -u -r1.1.1.1 monitor.c
--- monitor.c 24 Jun 2002 23:29:52 -0000 1.1.1.1
+++ monitor.c 25 Jun 2002 20:33:41 -0000
@@ -278,6 +278,8 @@
#ifdef USE_PAM
if (!do_pam_account(authctxt->pw->pw_name,
NULL))
authenticated = 0;
+ do_pam_session(authctxt->pw->pw_name, NULL);
+ do_pam_setcred(1);
#endif
}
On Thu, 2002-06-27 at 08:58, Michael Stone wrote: Regardless of other issues:> + if (session_opened) > + return; /*Be idempotent so we can be called in monitor and > child*/May break clients which allow multiple sessions over the same connection (e.g. ssh.com's) -d
Michael Stone <mstone at cs.loyola.edu> writes:> > Beyond any more general questions of whether pam sessions *should* be > run as root, is there an immediate security concern with moving theI believe that the original PAM authors intended pam_session to be run as root. Whether this is sensible or not is left as an exercise... Matthew -- "At least you know where you are with Microsoft." "True. I just wish I'd brought a paddle." http://www.debian.org
Matthew Vernon wrote:> Michael Stone <mstone at cs.loyola.edu> writes: > > >>Beyond any more general questions of whether pam sessions *should* be >>run as root, is there an immediate security concern with moving the > > > I believe that the original PAM authors intended pam_session to be run > as root. Whether this is sensible or not is left as an exercise...The application calling the PAM API needs to run with sufficient privelge for all of the configured service modules to do their job. This does not necesarily mean root, but it does degenerate to root on most systems that use PAM. In Solaris that means that all PAM functions must be called as root. -- Darren J Moffat