Setuid on successful PAM Authentication

Thaddeus Ternes tternes at gmail.com
Tue Oct 3 23:19:17 WST 2006


I have (what I believe) to be a unique development case that I'm
interested in some input on.  I'd like to add support to my PAM-based
system to map valid PAM authentications back to a certain /etc/passwd
user.  For instance (and specifically, at the moment), I want to use
pam_radius_auth to authenticate "someuser/somepassword" and then map
those valid credentials back to my "linuxuser" listed in /etc/passwd.
At this point, I can actually do this, thanks to a few development
efforts I've done (and will outline below).

Here's where I am so far...

I recently patched Busybox's login code to support PAM authentication,
and it seems to work great.  I'm now using pam_unix on my
Busybox-based system, rather than the built-in stuff.  So far, so
good.  However, I need to be able to map a valid radius user back to
my system user (I have a single non-root account on the machine).  So,
I hacked out a quick patch to pam_radius_auth to make it behave like
BSD's "template_user."  That is, I specify the following in
/etc/pam.d/login:

auth  required  /lib/security/pam_radius_auth.so template_user=linuxuser

and when the radius authentication is valid, set PAM_USER to the
template user.  My Busybox patch checks for this change.  This was a
pretty small change in pam_radius_auth:

if(retval == PAM_SUCCESS && (ctrl & PAM_TEMPLATE_USER))
          pam_set_item(pamh, PAM_USER, template_user);

However, I'm finding out that most applications implementing PAM
support don't do a check for a username change after a successful PAM
authentication.  Instead, the PAM authentication succeeds, and then
the application will call getpwnam() on the radius username, rather
than getting the PAM_USER value from PAM after the authentication.
Perhaps what I'm looking for is beyond what PAM is really intended,
and I'll have to find some other means to accomplish this.  However, I
don't see this being isolated to just radius authentications.  In the
future, I may wish to authenticate my system against some other
infrastructure (say LDAP), where any user in the "administrators"
group is allowed access to my device.

Any suggestions on an approach that might be appropriate?  All I've
come up with to date is patching the applications I hope to support on
my system (dropbear, and ftpd, and possibly samba).  If this is the
*right* approach, I'm fine with that.  I'd like to solve this with the
most correct approach.

Thanks for reading all the way through this wordy e-mail.  I'm still
pretty new to Linux development (though a user for a number of years),
so any guidance is greatly appreciated.

-Thaddeus



More information about the Dropbear mailing list