Re: [Exim] PAM for SMTP auth

Top Page
Delete this message
Reply to this message
Author: Adrian Daminato
Date:  
To: exim-users
Subject: Re: [Exim] PAM for SMTP auth
Here's a patch for my own problem, but only if running "security =
seteuid". I'd like to by default run in "security = seteuid+setuid",
but I don't have the time currently to figure out how to get exim to
regain root privileges just for PAM authentication. For whatever
reason, I can authenticate as the exim user without being root, but for
any other user, I need to be root (I may be missing something here??).
Here is a patch for 3.13 that I'm using that appears to be working.



Adrian Daminato wrote:
>
> Christof Meerwald wrote:
> >
> > >
> > >I'm not sure, but I think I'm missing something. Do I need to have the
> > >SMTP auth use the user of the localuser attempting to authenticate? Or
> > >is my PAM setup incorrect?
> >
> > Most likely pam_pwdb needs to have root privileges (meaning exim must run as
> > uid root) to get access to your shadow password file (at least the pam_unix
> > module supplied with Linux-PAM-0.69 doesn't work with shadow passwords if it
> > doesn't have root privileges)
> >
>
> I managed to get it to work, to an extent. It was looking for the
> password for my exim user. I tried to seteuid at the point of the PAM
> calls, but it fails. I want to be able to run exim as it's own user,
> only taking root privileges as it needs - how to I get exim to become
> root, seteuid as the user authenticating, then go back to it's 'regular'
> user? I've got most of it coded to save the current euid/uid/egid/gid,
> then switch back - but I can't switch because I'm not root. How does
> exim regain root privileges when it needs them?
>


--
Adrian Daminato
TUCOWS International Corp.
http://www.tucows.com*** src/auths/call_pam.c    Thu Jan 13 10:00:10 2000
--- src/auths/call_pam.new.c    Mon Feb  7 08:24:35 2000
***************
*** 114,119 ****
--- 114,120 ----
  pam_handle_t *pamh = NULL;
  struct pam_conv pamc;
  int pam_error;
+ int c_uid, c_gid;
  char *user;


/* Set up the input data structure: the address of the conversation function,
***************
*** 133,138 ****
--- 134,144 ----
user = string_nextinlist(&pam_args, ':', big_buffer, big_buffer_size);
if (user == NULL) user = "";

+ /* Set euid/egid to root for authenticating */
+ c_uid = geteuid();
+ c_gid = getegid();
+ if (geteuid() != root_uid) mac_seteuid(root_uid);
+
/* Start off PAM interaction */

DEBUG(9) debug_printf("Running PAM authentication for user \"%s\"\n", user);
***************
*** 154,159 ****
--- 160,171 ----
what should be passed as the second argument. */

pam_end(pamh, PAM_SUCCESS);
+
+ /* Return euid/egid to normal */
+
+ mac_seteuid(c_uid);
+ mac_setegid(c_gid);
+

/* Sort out the return code. If not success, set the error message. */