| 1 |
On 02/23/2010 11:58 AM, Ned Ludd wrote: |
| 2 |
> Q: |
| 3 |
> If the end user is using Linux-Pam on his/her host system and they run |
| 4 |
> this. It will ignore loading extra pam modules when entering the chroot? |
| 5 |
> Or do they flat out need to disable pam on the host so they can take |
| 6 |
> advantage of this for the chroot? |
| 7 |
|
| 8 |
They don't need to disable pam for useradd, groupadd, etc... for the |
| 9 |
same reason they don't for the chroot command. PAM is for |
| 10 |
authenticating users (attempting to ensure that a user who wants to use |
| 11 |
a utility that he or she already has permission to, is indeed that |
| 12 |
user). Also keep in mind that all the chroot() function does is |
| 13 |
(basically) prefix the path string in any functions (within the same |
| 14 |
process or child processes) explicitly dealing with paths (fopen, for |
| 15 |
example) with a sub path string (as if the process is changing the |
| 16 |
directory to the chroot() path and then treating all absolute paths from |
| 17 |
that point on as relative paths, and paths prefixed with "./" are |
| 18 |
treated relative to the ACTUAL directory the process exists in , i.e. |
| 19 |
the program was called from). |
| 20 |
|
| 21 |
The chroot() function is privileged process with the CAP_SYS_CHROOT |
| 22 |
capability. Even the chroot program which uses the chroot() function |
| 23 |
doesn't check if you're root, if it should delegate such a capability on |
| 24 |
a particular uid or call on PAM. It assumes it is being run as root and |
| 25 |
if chroot() fails it simply spits out "cannot change root directory to |
| 26 |
...". My patch at least checks if the uid is 0 and if not emits "must |
| 27 |
be superuser for chroot access". |
| 28 |
|
| 29 |
PAM processes are called by shadow (at least where I've encountered them |
| 30 |
so far) to pre-authenticate a user (and only when both |
| 31 |
--enable-account-tools-setuid and --with-libpam were enabled at |
| 32 |
configure time) to use the particular utility. That it would do so even |
| 33 |
if the user was root seems to me a redundancy (since a system |
| 34 |
would/should not allow root to grant or deny certain access rights |
| 35 |
to/from itself). When the program is called (suid bit enabled) PAM |
| 36 |
takes care of the uid, euid discrepancy. The chroot() process however, |
| 37 |
shouldn't be called by a non-root user, period. There are non-standard |
| 38 |
modules on other systems to enable suid + chroot() + PAM authentication, |
| 39 |
they are used to mimic the chroot utility (so a user can login to their |
| 40 |
own subdirectory jail). It seems to me it would be an unnecessary |
| 41 |
security risk to allow a non-root user to authenticate to add/delete |
| 42 |
users/groups from an offset directory. This should be left to root |
| 43 |
only. Otherwise a dependency on pam_chroot or some other non-standard |
| 44 |
module would have to be created, or a new module would have to be |
| 45 |
written just for the --chroot option. |
| 46 |
|
| 47 |
In short, using the --chroot option if compiled with --with-libpam is |
| 48 |
fine so long as it's actually run as root. As far as I know, emerge has |
| 49 |
to be run as root (except for --pretend and searching). |
Archives