On Thu, Sep 13, 2007 at 02:50:19AM +0200, Roland Mainz wrote: > Roland Mainz wrote: > > Roland Mainz wrote: > > [snip] > > > > I think the best way forward here is to get a prototype up and running > > > > and do a detailed security audit to make sure that admins writting shell > > > > script pam modules can't trivially destroy security. > > > > > > How is the audit done ? > > > > I just did a quick look at > > http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/pam_modules/allow/allow.c > > ... it may be possible to hack a prototype within a day (assuming I > > restrict it to pass the arguments from |pam_sm_*()| into a compound > > variable and implement only a "pam_putenv" builtin (and maybe a > > "pam_getenv")) plus the usual two day compile time... > > Short implementation question - which of the following concepts is > better: > 1. Simple solution: Start a shell script each time a |pam_sm_*()| > function is called, run it until it finishes and collect the results > > or > > 2. Create a shell instance for each created |pam_handle_t| and run the > script, the script defines a set of shell functions, one per > |pam_sm_*()| callback and when such a callback is called it launches the > matching shell function. The shell instance is destroyed when the > matching |pam_handle_t| is disposed. > > Erm, the 2nd solution is a little bit more compliciated to implement but > would be more flexible since the shell and all it's global variables > would live as long the matching |pam_handle_t| exists.
(2), so the module can keep state. I still think Perl5 is better because there is so much functionality in CPAN that could be used for all sorts of PAM modules. > Questions: > - Is it possible to create something like a callback which is launched > when a |pam_handle_t| is created and another when the |pam_handle_t| is > destroyed ? Yes to the latter, no to the former. > - Are PAM modules allowed to maintain their own file handles, e.g. the > shell may open files and keep it around until he shell instance is > destroyed or the script closes the handle... Yes. > - How do PAM and signals interact, e.g. can a PAM callback temporarily > change signal masks&co. assuming it restores the original settings whe > it returns to the caller ? I doubt it (among other things PAM modules must be MT-Safe).
