PAM and arla

Love lha at stacken.kth.se
Wed Jul 21 22:05:44 CEST 1999


Christopher Allen Wing <wingc at engin.umich.edu> writes:

> > Two other things were needed to make this happen: no separate PAG creation
> > during XDM logins (nowadays we use PAM to do this) and no use of pagsh by
> > users.
> 
> Right. This is why you should always use setpag() before you open up a
> user's login session.
 
Most programs in kth-krb/heimdal does this a the right place.  I recomend
using it (there is pam code in there too).  With pam is the same time (is
you remember to add the session part in your pam config-file)

> > Nevertheless, I think it's very important that, by default, root should NOT
> > have a PAG.   Otherwise, any system work he does is likely to inherit the
> > PAG causing all sorts of anomalies.
> 
> Yep, actually with the setgroups() wrapper for Arla this problem can still
> occur. The setgroups() wrapper makes sure that the current PAG will always
> persist, unless the user decides to explicitly do a setpag.

The problem with pags where that they is lost when you use initgroups(3)
(ie setgroups(2)) if you don't use a wrapper. Since most pam-aware program
ran pam_session_begin before initgroups(3) you lost the page just after
when you got it. The hack around it is use the setgroups wrapper.

(The other reson to use setgroup wrapper is to (as chris pointed you
earlier) to make it harder to set your own pag).

You kind of lose thatever way you choose to do it *if* you don't implement
it consistenly.

> So, if you have a PAG and su to root, the root shell will indeed inherit
> your tokens. For this reason I always make sure to log in as root and not
> su if I am going to start up a daemon.

Your su should set pag for you.
 
> The best way to fix this problem in Arla is to make Arla use the UID in
> addition to the first 2 supplimentary groups to determine the PAG.

As I understand it, the pag solution with just the groups was chosen since
is just have the inherit-property (I guess/think there was other resons
too). You could have your suid lpr that still could read your file when you
printed it out. 

I don't know if there is any more program today that depends on this
anymore. Is this still a wanted featured (so just used the groups).

Love





More information about the Arla-drinkers mailing list