Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Hey everyone, quick question. I'm fixing up an old app written by my company many years ago for our new server. It's going to take the login info from a php page, then pass it to a small PAM enabled app to check the password (kinda like Squirrelmail with Dovecot IMAP). The only way it works right now though is if the www-data user uses sudo to run the app. Is there a safer, ie: without sudo, way to do this?
server = Debian Etch, apache2, php5
and if you need it, the soure to the app looks like this:
Code:
int main (void){
struct pam_conv conv = {my_conv_function, NULL};
pam_handle_t *ph;
int error;
//get user info, sanity check, other stuff ...
if ((error = pam_start("login", user, &conv, &ph)) != PAM_SUCCESS) {
//print errors and exit
error = pam_authenticate(ph, 0);
if (error == PAM_SUCCESS)
//WIN
else
//FAIL
return;
}
What is it about this current method (sudo) that concerns you?
Nothing really, but my boss wants to avoid it if possible. I'm no expert on PAM programming, but I've looked at the source of other apps and they seem to achive this without sudo or changing any user permissions, though I could be wrong.
Nothing really, but my boss wants to avoid it if possible.
In your OP you said "safer" and here you say there's reasons to avoid Sudo. Maybe it could help if you explain in detail why Sudo should be avoided (in this case)?
In your OP you said "safer" and here you say there's reasons to avoid Sudo. Maybe it could help if you explain in detail why Sudo should be avoided (in this case)?
Well, do you always do "sudo ls" to list a directory's contents when plain old "ls" will suffice? I'm not attempting to debate the merits of sudo, it's a fine way to run a program when root privileges are required. But that's my question: are they required? Is there a setting somewhere that I'm missing so that we can get by without it? I suspect from your responses there isn't, I can't find any info on it. Perhaps my word choice was a little poor, but I won't be the only one maintaining this program in the future. So if it needs to run with root privileges, we'd like to know ahead of time before, for example, some "just out of college" new employee who knows nothing about linux puts in an "execl('rm -rf');" and we all go wtf.
More simply put: Does a PAM login program need root to run? yes or no.
Last edited by mrbubblesort; 10-27-2008 at 07:25 PM.
Perhaps my word choice was a little poor, but I won't be the only one maintaining this program in the future. So if it needs to run with root privileges, we'd like to know ahead of time before, for example, some "just out of college" new employee who knows nothing about linux puts in an "execl('rm -rf');" and we all go wtf. More simply put: Does a PAM login program need root to run? yes or no.
Yes. *Something* needs root account rights. Your webserver runs as its own lesser-privileged user. In the case of auth by proxy, and since shadow has DAC rights restrictions, the intermediate won't have access directly (and rightfully so). It's your choice of weakening the system by changing DAC rights on the shadow file or using a setXid intermediate. While the "just out of college" example has some value, the *right* approach would be to write minimal documentation about your setup and teach people to actually read and understand those before doing anything. Besides, setting up a NOPASSWD sudo entry would not harm root itself since you're only defining the transaction that combo specific_userX may run specific_application_Y with specific_args_Z. For examples of PAM handling auth that way see the difference in approach of say mod_authnz_external and mod_auth_pam2.
Yes. *Something* needs root account rights. Your webserver runs as its own lesser-privileged user. In the case of auth by proxy, and since shadow has DAC rights restrictions, the intermediate won't have access directly (and rightfully so). It's your choice of weakening the system by changing DAC rights on the shadow file or using a setXid intermediate.
Ok, that's what I need to know. Thanks!!!
Quote:
Originally Posted by unSpawn
While the "just out of college" example has some value, the *right* approach would be to write minimal documentation about your setup and teach people to actually read and understand those before doing anything.
You're absolutely correct about the *right* approach though. My "just out of college" example was a bit of a hyperbole I hope my company wouldn't be stupid enough to let just anyone sit down and go at it without any training, though I can't guaranty it
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Permissions for running a PAM app
I hope my company wouldn't be stupid enough to let just anyone sit down and go at it without any training, though I can't guaranty it 
