help with running popen

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

Re: help with running popen

This doesn't really look like a PAM question, exactly;  although PAM and 
whatever calls it will determine which UID and GID your module starts 
executing as.

ronald de la cruz wrote:
> hi there...im writing a pam module with encryption using gpg.
> im trying to use popen() to run external command like gpg.
> FILE *fp
> fp = popen("sudo gpg -ear....", "r");
> 
> the problem is, im trying to run this with the sudo command
> but the pam module won't accept it,
> the error is
> 
> sudo: gpg: commant not found
> 
> 
> please help i really need to run gpg with sudo

gpg is a bad example;  it's much more paranoid about the (E)UID and 
(E)GID it runs under.  I don't think sudo will go quite far enough.

Check the command you're trying to run manually;  run it as root, as a 
"full" regular user, and as a restricted user like nobody.  You'll 
probably have to do some additional (E)UID/(E)GID tweaking to get your 
module running as the correct UID/GID for what you want to accomplish.

-kgd

Re: Pam-list Digest, Vol 38, Issue 1

pam-list-request <at> redhat.com wrote:
> Send Pam-list mailing list submissions to
> 	pam-list <at> redhat.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://www.redhat.com/mailman/listinfo/pam-list
> or, via email, send a message with subject or body 'help' to
> 	pam-list-request <at> redhat.com
>
> You can reach the person managing the list at
> 	pam-list-owner <at> redhat.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Pam-list digest..."
>   
> ------------------------------------------------------------------------
>
> Today's Topics:
>
>    1. help with running popen (ronald de la cruz)
>    2. Re: help with running popen (Kris Deugau)
>   
>
> ------------------------------------------------------------------------
>
> Subject:
> help with running popen
> From:
> "ronald de la cruz" <rcdelacruz <at> gmail.com>
> Date:
> Tue, 3 Apr 2007 17:27:11 +0800
> To:
> pam-list <at> redhat.com
>
> To:
> pam-list <at> redhat.com
>
> Precedence:
> junk
> MIME-Version:
> 1.0
> Reply-To:
> Pluggable Authentication Modules <pam-list <at> redhat.com>
> Message-ID:
> <42255b6c0704030227h7bdb0d4csad039934c902a449 <at> mail.gmail.com>
> Content-Type:
> multipart/alternative; boundary="----=_Part_5495_12844550.1175592431070"
> Message:
> 1
>
>
> hi there...im writing a pam module with encryption using gpg.
> im trying to use popen() to run external command like gpg.
> FILE *fp
> fp = popen("sudo gpg -ear....", "r");
>
> the problem is, im trying to run this with the sudo command
> but the pam module won't accept it,
> the error is
>
> sudo: gpg: commant not found
>
>
> please help i really need to run gpg with sudo
>
> -- 
> ronald de la cruz
> ------------------------------------------------------------------------
>
> Subject:
> Re: help with running popen
> From:
> Kris Deugau <kdeugau <at> vianet.ca>
> Date:
> Tue, 03 Apr 2007 10:56:53 -0400
> To:
> Pluggable Authentication Modules <pam-list <at> redhat.com>
>
> To:
> Pluggable Authentication Modules <pam-list <at> redhat.com>
>
> Content-Transfer-Encoding:
> 7bit
> Precedence:
> junk
> MIME-Version:
> 1.0
> References:
> <42255b6c0704030227h7bdb0d4csad039934c902a449 <at> mail.gmail.com>
> In-Reply-To:
> <42255b6c0704030227h7bdb0d4csad039934c902a449 <at> mail.gmail.com>
> Reply-To:
> Pluggable Authentication Modules <pam-list <at> redhat.com>
> Message-ID:
> <46126B35.4020308 <at> vianet.ca>
> Content-Type:
> text/plain; charset=ISO-8859-1; format=flowed
> Message:
> 2
>
>
> This doesn't really look like a PAM question, exactly;  although PAM
> and whatever calls it will determine which UID and GID your module
> starts executing as.
>
> ronald de la cruz wrote:
>> hi there...im writing a pam module with encryption using gpg.
>> im trying to use popen() to run external command like gpg.
>> FILE *fp
>> fp = popen("sudo gpg -ear....", "r");
>>
>> the problem is, im trying to run this with the sudo command
>> but the pam module won't accept it,
>> the error is
>>
>> sudo: gpg: commant not found
>>
>>
>> please help i really need to run gpg with sudo
>
> gpg is a bad example;  it's much more paranoid about the (E)UID and
> (E)GID it runs under.  I don't think sudo will go quite far enough.
>
> Check the command you're trying to run manually;  run it as root, as a
> "full" regular user, and as a restricted user like nobody.  You'll
> probably have to do some additional (E)UID/(E)GID tweaking to get your
> module running as the correct UID/GID for what you want to accomplish.
>
> -kgd
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Pam-list mailing list
> Pam-list <at> redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
There are several things which i suspect:

First, popen() does not necessarily provide a PATH, so it's a good idea
to supply an absolute path 'gpg'.

Second, sudo needs a table of 'sudoers' to authorize against. Your
module will succeed only if you keep
this file up to date for ALL possible users 

Andreas

--

-- 
Dr.-Ing. Andreas Schindler

Alpha Zero One Computersysteme GmbH
Frankfurter Str. 141
63303 Dreieich

Telefon 06103-57187-21
Telefax 06103-373245

schindler <at> az1.de
www.az1.de

Re: help with running popen

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

Re: help with running popen

>> This doesn't really look like a PAM question, exactly; although PAM and 
>> whatever calls it will determine which UID and GID your module starts 
>> executing as.
>> 
>> gpg is a bad example; it's much more paranoid about the (E)UID and 
>> (E)GID it runs under. I don't think sudo will go quite far enough. Check 
>> the command you're trying to run manually; run it as root, as a "full" 
>> regular user, and as a restricted user like nobody. You'll probably have 
>> to do some additional (E)UID/(E)GID tweaking to get your module running 
>> as the correct UID/GID for what you want to accomplish.
>> 
>> -kgd

ronald de la cruz wrote:
> thanks for the reply...but my only problem is adding the 'sudo' in popen.
> if i run it without sudo, there's no problem...
> 
> my main concern is how the PAM module will accept that sudo.

The second paragraph of my reply still applies;  gpg is very particular 
about the UID, EUID, GID, and EGID it finds itself running under.  sudo 
doesn't quite set everything perfectly IIRC - you *will* need to 
explicitly set the UID, EUID, GID, and/or EGID (one or more, depending 
on what's not set correctly for what you want to accomplish).

There's nothing special about PAM that I know of that limits sudo in any 
way;  about the only thing I can think of is trouble determining which 
user is apparently *calling* sudo so you can add the appropriate entries 
  to /etc/sudoers so that your command runs as the correct user.

A better idea of what your module is trying to accomplish would probably 
help the PAM gurus on the list give you some more specific advice;  my 
recommendations come from trying to get gpg to run in a certain manner 
from a setuid Perl script.  Among other problems I ran into, I found 
that sudo did NOT go far enough in setting the EUID to the correct user 
for my use of gpg.

-kgd

Re: [Pam-patches] New pam items

On Tue, 2007-04-10 at 20:33 +0200, Thorsten Kukuk wrote:
> On Tue, Apr 10, Tomas Mraz wrote:
> 
> > What do you think of this idea to add PAM_DISPLAY and/or PAM_DEVICE
> > items?
> 
> I missed the case were this makes really a difference. When does an
> application has a tty and a display?
It probably doesn't have both of them (although I could imagine things
like su in a xterm terminal), but having them in separate PAM items
would remove ambiguity between device and display. Of course if we
simply disregard the possibility to have both display and tty we could
use PAM_TTY but at least there should be some recommendation on format
of the item value so display can be easily differentiated from a device.
Perhaps mandate using the tty device with a full path?

> And I'm afraid we need to discuss this with the other PAM 
> implementation maintainers, too. So maybe we should move it to
> at least linux-pam mailing list?
Ccing pam-list. Yes, I agree that this should be discussed at least with
OpenPAM developers and maybe others.

> > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=230729

--

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb

Re: Pam-list Digest, Vol 38, Issue 4

pam-list-request <at> redhat.com wrote:
> Send Pam-list mailing list submissions to

> Re: [Pam-patches] New pam items
> From:

I can't figure out, what PAM_DEVICE should be good for. IMHO it is far
too unspecific to be really useful.

To the discussion about PAM_DISPLAY: Before all, please consider that 
every X-Display on a local machine (i.e. DISPLAY=x.x or localhost:x.x)
ALWAYS has an associatet TTY, because the X-Server needs a (pseudo-)device
to attach to. So, PAM_TTY and PAM_DISPLAY should be independent of each other.

By the way: why not use the PAM environment to store additional information?
Annother way could is possible using pam_set/get_data.
I've done this successfully when implementing a TACACS-to -PAM gateway.
In conjunction with a special PAM module to store and retrieve Information
i consider this a very smooth way to associate additional information with PAM.

Your's
Andreas

Dr.-Ing. Andreas Schindler

Alpha Zero One Computersysteme GmbH
Frankfurter Str. 141 
63303 Dreieich 

Telefon 06103-57187-21 
Telefax 06103-373245 
schindler <at> az1.de www.az1.de 

Alpha Zero One Computersysteme GmbH, Brandeniusstr. 3, 44265 Dortmund
HRB 11089 Amtsgericht Dortmund, Geschäftsführer : Klaus-Jürgen Koke, Joachim Carle 

Re: Pam-list Digest, Vol 38, Issue 4

On Thu, 2007-04-12 at 08:24 +0200, Andreas Schindler wrote:
> pam-list-request <at> redhat.com wrote:
> > Send Pam-list mailing list submissions to
> 
> > Re: [Pam-patches] New pam items
> > From:
> 
> I can't figure out, what PAM_DEVICE should be good for. IMHO it is far
> too unspecific to be really useful.
The reason is that we cannot change the meaning of PAM_TTY in display
managers (they set it to the DISPLAY value). But as you write below,
there is also the TTY used by the X server. This value would be useful
for pam_ck_connector module. (ConsoleKit library for fast user
switching.)

> To the discussion about PAM_DISPLAY: Before all, please consider that 
> every X-Display on a local machine (i.e. DISPLAY=x.x or localhost:x.x)
> ALWAYS has an associatet TTY, because the X-Server needs a (pseudo-)device
> to attach to. So, PAM_TTY and PAM_DISPLAY should be independent of each other.
That's the reason why PAM_DISPLAY would be useful, although using PAM
environment would workaround that need. That's right.

> By the way: why not use the PAM environment to store additional information?
> Annother way could is possible using pam_set/get_data.
> I've done this successfully when implementing a TACACS-to -PAM gateway.
> In conjunction with a special PAM module to store and retrieve Information
> i consider this a very smooth way to associate additional information with PAM.
pam_set/get_data cannot be used from application.

--

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb

return code of unix_chkpwd

hello,

I use ldap for account and I put something like that in PAM :

  auth [success=1 default=bad user_unknown=ignore] pam_unix.so 
  auth required pam_ldap.so use_first_pass
  ...

When root application authentificates a ldap user, there is no pb :
first module returns "user_unknown" and 2nd returns "success".

But when application is non-root, first module fails with "user_fail".
The reason is that the helper program "unix_chkpwd" has a dichotomic
return code :

        if ((retval != PAM_SUCCESS) || force_failure) {
            return PAM_AUTH_ERR;
        } else {
            return PAM_SUCCESS;
        }

Whereas it should return PAM_AUTH_UNKNOWN, it returns PAM_AUTH_ERR and
makes the module fails.

Is there a reason to this behaviour ?

Sincerly,
--

-- 
Julien
	<< Vous n'avez rien a dire... Parlons-en! >>

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

PAM to LDAP

I am trying to get our SuSE 9 (s390x) to use the common company LDAP 
server. I have tried several ways to get LDAP users to be able to login. 
Right now the /etc/security/pam_unix2.conf is set to use_ldap and there 
is no sshd in the /etc/pam.d. When a user that is in the local Linux 
system directly can sign in, if the user is not in either the Linux 
machine or LDAP, the system will ask for a password a few times and then 
close the connection.

But if the user is in the LDAP server, once the password is entered the 
ssh will just close. In the /var/log/messages the following line shows 
up: sshd[5162]: fatal: PAM: authentication thread exited unexpectedly

Anyone know how to either get around this or what the right 
configuration is to use LDAP or how to get more information on what is 
wrong.