LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-23-2008, 09:03 PM   #1
mrbubblesort
LQ Newbie
 
Registered: Oct 2008
Location: Tokyo
Distribution: Debian / Ubuntu
Posts: 14

Rep: Reputation: 1
Smile Permissions for running a PAM app


Hey everyone, quick question. I'm fixing up an old app written by my company many years ago for our new server. It's going to take the login info from a php page, then pass it to a small PAM enabled app to check the password (kinda like Squirrelmail with Dovecot IMAP). The only way it works right now though is if the www-data user uses sudo to run the app. Is there a safer, ie: without sudo, way to do this?


server = Debian Etch, apache2, php5
and if you need it, the soure to the app looks like this:
Code:
int main (void){    
    struct pam_conv conv = {my_conv_function, NULL};
    pam_handle_t *ph;
    int error;

    //get user info, sanity check, other stuff ...

    if ((error = pam_start("login", user, &conv, &ph)) != PAM_SUCCESS) {
        //print errors and exit
   
    error = pam_authenticate(ph, 0);

    if (error == PAM_SUCCESS)
        //WIN
    else
        //FAIL
  
    return;
}
 
Old 10-23-2008, 09:06 PM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by mrbubblesort View Post
The only way it works right now though is if the www-data user uses sudo to run the app. Is there a safer, ie: without sudo, way to do this?
What is it about this current method (sudo) that concerns you?
 
Old 10-23-2008, 09:16 PM   #3
mrbubblesort
LQ Newbie
 
Registered: Oct 2008
Location: Tokyo
Distribution: Debian / Ubuntu
Posts: 14

Original Poster
Rep: Reputation: 1
Quote:
Originally Posted by win32sux View Post
What is it about this current method (sudo) that concerns you?
Nothing really, but my boss wants to avoid it if possible. I'm no expert on PAM programming, but I've looked at the source of other apps and they seem to achive this without sudo or changing any user permissions, though I could be wrong.
 
Old 10-27-2008, 04:09 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,666
Blog Entries: 54

Rep: Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952
Quote:
Originally Posted by mrbubblesort View Post
Nothing really, but my boss wants to avoid it if possible.
In your OP you said "safer" and here you say there's reasons to avoid Sudo. Maybe it could help if you explain in detail why Sudo should be avoided (in this case)?
 
Old 10-27-2008, 08:20 PM   #5
mrbubblesort
LQ Newbie
 
Registered: Oct 2008
Location: Tokyo
Distribution: Debian / Ubuntu
Posts: 14

Original Poster
Rep: Reputation: 1
Quote:
Originally Posted by unSpawn View Post
In your OP you said "safer" and here you say there's reasons to avoid Sudo. Maybe it could help if you explain in detail why Sudo should be avoided (in this case)?
Well, do you always do "sudo ls" to list a directory's contents when plain old "ls" will suffice? I'm not attempting to debate the merits of sudo, it's a fine way to run a program when root privileges are required. But that's my question: are they required? Is there a setting somewhere that I'm missing so that we can get by without it? I suspect from your responses there isn't, I can't find any info on it. Perhaps my word choice was a little poor, but I won't be the only one maintaining this program in the future. So if it needs to run with root privileges, we'd like to know ahead of time before, for example, some "just out of college" new employee who knows nothing about linux puts in an "execl('rm -rf');" and we all go wtf.


More simply put: Does a PAM login program need root to run? yes or no.

Last edited by mrbubblesort; 10-27-2008 at 08:25 PM.
 
Old 10-28-2008, 03:27 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,666
Blog Entries: 54

Rep: Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952
Quote:
Originally Posted by mrbubblesort View Post
Perhaps my word choice was a little poor, but I won't be the only one maintaining this program in the future. So if it needs to run with root privileges, we'd like to know ahead of time before, for example, some "just out of college" new employee who knows nothing about linux puts in an "execl('rm -rf');" and we all go wtf. More simply put: Does a PAM login program need root to run? yes or no.
Yes. *Something* needs root account rights. Your webserver runs as its own lesser-privileged user. In the case of auth by proxy, and since shadow has DAC rights restrictions, the intermediate won't have access directly (and rightfully so). It's your choice of weakening the system by changing DAC rights on the shadow file or using a setXid intermediate. While the "just out of college" example has some value, the *right* approach would be to write minimal documentation about your setup and teach people to actually read and understand those before doing anything. Besides, setting up a NOPASSWD sudo entry would not harm root itself since you're only defining the transaction that combo specific_userX may run specific_application_Y with specific_args_Z. For examples of PAM handling auth that way see the difference in approach of say mod_authnz_external and mod_auth_pam2.
 
Old 10-28-2008, 05:22 AM   #7
mrbubblesort
LQ Newbie
 
Registered: Oct 2008
Location: Tokyo
Distribution: Debian / Ubuntu
Posts: 14

Original Poster
Rep: Reputation: 1
Quote:
Originally Posted by unSpawn View Post
Yes. *Something* needs root account rights. Your webserver runs as its own lesser-privileged user. In the case of auth by proxy, and since shadow has DAC rights restrictions, the intermediate won't have access directly (and rightfully so). It's your choice of weakening the system by changing DAC rights on the shadow file or using a setXid intermediate.
Ok, that's what I need to know. Thanks!!!


Quote:
Originally Posted by unSpawn View Post
While the "just out of college" example has some value, the *right* approach would be to write minimal documentation about your setup and teach people to actually read and understand those before doing anything.

You're absolutely correct about the *right* approach though. My "just out of college" example was a bit of a hyperbole I hope my company wouldn't be stupid enough to let just anyone sit down and go at it without any training, though I can't guaranty it
 
  


Reply

Tags
pam, permissions, programming


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Check if an app is running and if it's not launch this app Coume Linux - General 3 07-28-2008 03:34 AM
Running sudo with pam.d vwvr9 Linux - Security 2 05-05-2008 11:19 PM
/etc/pam.d files permissions Visko Linux - Security 5 11-11-2005 03:25 PM
Samba Profiles Losing Permissions Settings (Java App) djturner Linux - Networking 0 10-07-2005 01:06 PM
How to pass root permissions to other app? therut Linux - Newbie 7 08-19-2003 10:19 AM


All times are GMT -5. The time now is 09:59 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration