1 |
On 02/23/2010 11:58 AM, Ned Ludd wrote: |
2 |
> Q: |
3 |
> If the end user is using Linux-Pam on his/her host system and they run |
4 |
> this. It will ignore loading extra pam modules when entering the chroot? |
5 |
> Or do they flat out need to disable pam on the host so they can take |
6 |
> advantage of this for the chroot? |
7 |
|
8 |
They don't need to disable pam for useradd, groupadd, etc... for the |
9 |
same reason they don't for the chroot command. PAM is for |
10 |
authenticating users (attempting to ensure that a user who wants to use |
11 |
a utility that he or she already has permission to, is indeed that |
12 |
user). Also keep in mind that all the chroot() function does is |
13 |
(basically) prefix the path string in any functions (within the same |
14 |
process or child processes) explicitly dealing with paths (fopen, for |
15 |
example) with a sub path string (as if the process is changing the |
16 |
directory to the chroot() path and then treating all absolute paths from |
17 |
that point on as relative paths, and paths prefixed with "./" are |
18 |
treated relative to the ACTUAL directory the process exists in , i.e. |
19 |
the program was called from). |
20 |
|
21 |
The chroot() function is privileged process with the CAP_SYS_CHROOT |
22 |
capability. Even the chroot program which uses the chroot() function |
23 |
doesn't check if you're root, if it should delegate such a capability on |
24 |
a particular uid or call on PAM. It assumes it is being run as root and |
25 |
if chroot() fails it simply spits out "cannot change root directory to |
26 |
...". My patch at least checks if the uid is 0 and if not emits "must |
27 |
be superuser for chroot access". |
28 |
|
29 |
PAM processes are called by shadow (at least where I've encountered them |
30 |
so far) to pre-authenticate a user (and only when both |
31 |
--enable-account-tools-setuid and --with-libpam were enabled at |
32 |
configure time) to use the particular utility. That it would do so even |
33 |
if the user was root seems to me a redundancy (since a system |
34 |
would/should not allow root to grant or deny certain access rights |
35 |
to/from itself). When the program is called (suid bit enabled) PAM |
36 |
takes care of the uid, euid discrepancy. The chroot() process however, |
37 |
shouldn't be called by a non-root user, period. There are non-standard |
38 |
modules on other systems to enable suid + chroot() + PAM authentication, |
39 |
they are used to mimic the chroot utility (so a user can login to their |
40 |
own subdirectory jail). It seems to me it would be an unnecessary |
41 |
security risk to allow a non-root user to authenticate to add/delete |
42 |
users/groups from an offset directory. This should be left to root |
43 |
only. Otherwise a dependency on pam_chroot or some other non-standard |
44 |
module would have to be created, or a new module would have to be |
45 |
written just for the --chroot option. |
46 |
|
47 |
In short, using the --chroot option if compiled with --with-libpam is |
48 |
fine so long as it's actually run as root. As far as I know, emerge has |
49 |
to be run as root (except for --pretend and searching). |