tags 376165 - patch pending
tags 376165 wontfix
thanks
Hello,
I reverted the patch.
It is not possible to have a correct PAM sessions support in
start-stop-daemon.
When start-stop-daemon starts a daemon, it cannot closes the PAM session,
or the session will be closed before the daemon quits.
Hence I'm tagging these bugs wontfix (and remove the patch tag).
Thanks to Guillem Jover for noticing.
Kind Regards,
--
Nekral
On Wed, Feb 28, 2007 at 12:07:01AM +0100, Nicolas François wrote:
> block 373786 by 406942
> merge 376165 406942
> tags 376165 patch
> thanks
>
> Hi,
>
> In both #376165 and #406942, you asked for PAM support in
> start-stop-daemon.
>
> The attached patch adds a --pam <service> option to start-stop-daemon.
> It only implements PAM session (i.e. no authentication, etc), which I
> guess is sufficient.
>
> Marc, does it work with the exim use case? (It would mean adding something
> like --pam exim-cron, and interested users should create
> /etc/pam.d/exim-cron).
>
> I tested it with the pam_tmpdir module and tested the --chuid and
> --background options.
> (s-s-d --pam test -S --chuid test -x /tmp/sh -- -c "echo \$TMPDIR")
>
> Russel, it would be nice if you could test the patch with the
> pam_namespace module.
>
> Kind Regards,
> --
> Nekral
> Index: utils/start-stop-daemon.c
> ===================================================================
> --- utils/start-stop-daemon.c (révision 650)
> +++ utils/start-stop-daemon.c (copie de travail)
> @@ -88,6 +88,9 @@
> #include <limits.h>
> #include <assert.h>
> #include <ctype.h>
> +#include <sys/wait.h>
> +#include <security/pam_appl.h>
> +#include <security/pam_misc.h>
>
> #ifdef HAVE_SYS_CDEFS_H
> #include <sys/cdefs.h>
> @@ -140,6 +143,14 @@
> static int nicelevel = 0;
> static int umask_value = -1;
>
> +static pam_handle_t *pamh = NULL;
> +static char *pam = NULL;
> +
> +static struct pam_conv conv = {
> + misc_conv,
> + NULL
> +};
> +
> static struct stat exec_stat;
> #if defined(OSHURD)
> static struct proc_stat_list *procset = NULL;
> @@ -224,6 +235,10 @@
> {
> va_list arglist;
>
> + if (pamh) {
> + int retcode = pam_close_session(pamh,0);
> + pam_end(pamh,retcode);
> + }
> fprintf(stderr, "%s: ", progname);
> va_start(arglist, format);
> vfprintf(stderr, format, arglist);
> @@ -306,6 +321,7 @@
> " -r|--chroot <directory> chroot to <directory> before starting\n"
> " -d|--chdir <directory> change to <directory> (default is /)\n"
> " -N|--nicelevel <incr> add incr to the process's nice level\n"
> +" -P|--pam <service> open a session with this PAM service\n"
> " -k|--umask <mask> change the umask to <mask> before
> starting\n"
> " -b|--background force the process to detach\n"
> " -m|--make-pidfile create the pidfile before starting\n"
> @@ -512,6 +528,7 @@
> { "make-pidfile", 0, NULL, 'm'},
> { "retry", 1, NULL, 'R'},
> { "chdir", 1, NULL, 'd'},
> + { "pam", 1, NULL, 'P'},
> { NULL, 0, NULL, 0}
> };
> const char *umask_str = NULL;
> @@ -598,6 +615,9 @@
> case 'd': /* --chdir /new/dir */
> changedir = optarg;
> break;
> + case 'P': /* --pam <service> */
> + pam = optarg;
> + break;
> default:
> badusage(NULL); /* message printed by getopt */
> }
> @@ -1326,6 +1346,62 @@
> #endif
> devnull_fd=open("/dev/null", O_RDWR);
> }
> + if (pam) {
> + int retcode;
> + char **envcp;
> +
> + char *pam_user;
> + struct passwd *pw;
> + pw = getpwuid((-1==runas_uid)?getuid():runas_uid);
> + if (!pw) {
> + fatal("user ID `%d' not found\n",
> + (-1==runas_uid)?getuid():runas_uid);
> + }
> + else {
> + pam_user = strdup(pw->pw_name);
> + if (!pam_user)
> + fatal("Unable to allocate memory: %s",
> strerror(errno));
> + }
> +
> + retcode = pam_start (pam, pam_user, &conv, &pamh);
> + if (PAM_SUCCESS != retcode) {
> + fprintf(stderr, "%s\n", pam_strerror(pamh, retcode));
> + pam_end(pamh, retcode);
> + exit(2);
> + }
> +
> + /* Some PAM modules may rely on PAM_RUSER */
> + if (pam_user) {
> + int retcode = pam_set_item(pamh, PAM_RUSER, pam_user);
> + if (PAM_SUCCESS != retcode) {
> + fprintf(stderr,
> + "%s\n",
> + pam_strerror(pamh, retcode));
> + pam_end(pamh, retcode);
> + exit(2);
> + }
> + }
> + /* FIXME: set some other PAM variables?
> + */
> +
> + retcode = pam_open_session(pamh, 0);
> + if (PAM_SUCCESS != retcode) {
> + fprintf(stderr, "%s\n", pam_strerror(pamh, retcode));
> + pam_end(pamh, retcode);
> + exit(2);
> + }
> +
> + /* Copy the environment variables set by the PAM modules. */
> + envcp = pam_getenvlist (pamh);
> + if (envcp) {
> + while (*envcp) {
> + int err = putenv(*envcp);
> + if (err)
> + fatal("Unable to set the '%s'
> environment variable: %s", *envcp, strerror(errno));
> + envcp++;
> + }
> + }
> + }
> if (nicelevel) {
> errno=0;
> if ((nice(nicelevel)==-1) && (errno!=0))
> @@ -1386,6 +1462,30 @@
> setpgid(0,0);
> #endif
> }
> + if (NULL != pam) {
> + int parent = fork();
> + if (parent < 0) {
> + fatal("Unable to fork.\n");
> + }
> + if (parent) {
> + /* parent: wait for child to finish,
> + * then cleanup the PAM session.
> + */
> + int retcode;
> + int status = 1;
> + (void) wait(&status);
> +
> + retcode = pam_close_session(pamh,0);
> + pam_end(pamh,retcode);
> +
> + if (WIFSIGNALED(status))
> + status = 1;
> + else
> + status = WEXITSTATUS(status);
> + exit(status);
> + }
> + /* Only child continue */
> + }
> execv(startas, argv);
> fatal("Unable to start %s: %s", startas, strerror(errno));
> }
> Index: utils/Makefile.am
> ===================================================================
> --- utils/Makefile.am (révision 650)
> +++ utils/Makefile.am (copie de travail)
> @@ -13,7 +13,7 @@
> start_stop_daemon_SOURCES = \
> start-stop-daemon.c
>
> - start_stop_daemon_LDADD = ../getopt/libopt.a $(SSD_LIBS)
> + start_stop_daemon_LDADD = ../getopt/libopt.a $(SSD_LIBS) -lpam -lpam_misc
> endif
>
>
> Index: man/start-stop-daemon.8
> ===================================================================
> --- man/start-stop-daemon.8 (révision 650)
> +++ man/start-stop-daemon.8 (copie de travail)
> @@ -227,6 +227,9 @@
> \fB\-N\fP|\fB\-\-nicelevel\fP \fIint\fP
> This alters the priority of the process before starting it.
> .TP
> +\fB\-P\fP|\fB\-\-pam\fP \fIpam_service\fP
> +Start a PAM session, using the given PAM service.
> +.TP
> \fB\-k\fP|\fB\-\-umask\fP \fImask\fP
> This sets the umask of the process before starting it.
> .TP
