Roland Mainz wrote:
> Roland Mainz wrote:
> [snip]
> > > I think the best way forward here is to get a prototype up and running
> > > and do a detailed security audit to make sure that admins writting shell
> > > script pam modules can't trivially destroy security.
> >
> > How is the audit done ?
>
> I just did a quick look at
> http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/pam_modules/allow/allow.c
> ... it may be possible to hack a prototype within a day (assuming I
> restrict it to pass the arguments from |pam_sm_*()| into a compound
> variable and implement only a "pam_putenv" builtin (and maybe a
> "pam_getenv")) plus the usual two day compile time...
Short implementation question - which of the following concepts is
better:
1. Simple solution: Start a shell script each time a |pam_sm_*()|
function is called, run it until it finishes and collect the results
or
2. Create a shell instance for each created |pam_handle_t| and run the
script, the script defines a set of shell functions, one per
|pam_sm_*()| callback and when such a callback is called it launches the
matching shell function. The shell instance is destroyed when the
matching |pam_handle_t| is disposed.
Erm, the 2nd solution is a little bit more compliciated to implement but
would be more flexible since the shell and all it's global variables
would live as long the matching |pam_handle_t| exists.
Questions:
- Is it possible to create something like a callback which is launched
when a |pam_handle_t| is created and another when the |pam_handle_t| is
destroyed ?
- Are PAM modules allowed to maintain their own file handles, e.g. the
shell may open files and keep it around until he shell instance is
destroyed or the script closes the handle...
- How do PAM and signals interact, e.g. can a PAM callback temporarily
change signal masks&co. assuming it restores the original settings whe
it returns to the caller ?
----
Bye,
Roland
--
__ . . __
(o.\ \/ /.o) roland.mainz at nrubsig.org
\__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer
/O /==\ O\ TEL +49 641 7950090
(;O/ \/ \O;)
