On 17 March 2012 22:29, Cristian Ionescu-Idbohrn <[email protected]> wrote: > On Fri, 16 Mar 2012, Daniel Hartwig wrote: >> - manually invoking distccd as non-root also works. > > Was it the distccd non-root user you had in mind, or another? >
Hi I mean that any user can run /usr/bin/distccd. >> Users of libpam-tmpdir experiencing this problem can add 'TMPDIR=/tmp' >> to /etc/default/distcc and then run 'invoke-rc.d distcc start'. > > Well, wouldn't that be exactly the opposite of what libpam-tmpdir is > trying to achieve? > That suggestion is a workaround until the package is fixed. Yes, doing that would be defeating the purpose of libpam-tmpdir, however, in this case the TMPDIR has been assigned for root, not distccd. In it's normal course of operation no per-user TMPDIR would be assigned to distccd because it does not start a PAM session. >> >> The author of libpam-tmpdir recommends that daemons initiate their own >> PAM session.[3] This would fix the issue with TMPDIR as well as any >> other latent problems relating to PAM and local admin policy, etc.. >> >> Other solutions used in the wild: >> - add TMPDIR=/tmp in /etc/default/distcc; >> - check that TMPDIR is writable, falling back to /tmp; or >> - unset TMPDIR in /etc/init.d/distcc. >> >> but those remove various degrees of control/convenience from the local >> admin. > > True. So, a sustainable solution would be to have the daemon take care of > securing the tmpdir it wants to chdir to, beforehand, wouldn't it? > "Securing the tmpdir" .. do you mean, by starting a PAM session? I am prone to implementing this: >> - check that TMPDIR is writable, falling back to /tmp; or because it is valid, robust, and requires little effort. I note that many programs actually fail if TMPDIR is not writable... !? I am not familiar with PAM or starting PAM sessions in daemons. However, I am sure that upstream would be interested in a patch should you or someone else choose to prepare one. Regards -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
