start-stop-daemon doesn't use pam. This makes it unable to peruse, for example, pam_limits. I also have this gut feeling that it might also be a security hole in an otherwise pam-enabled system, although I haven't found a way to exploit it (yet). Actually the reason I have found this deficiency is that I have been looking for a way to limit my mldonkey's memory usage; but no limits files are in effect if pam is bypassed (as pam_limits session module is what imposes limits). Had start-stop-daemon been a shell script using su or sudo, it would use pam automagically. I imagine it's easy to enable pam without recoding the whole thing by just execing su or sudo internally. Alas, I'm not sure if the wouldn't be any security problems resulting from this approach.
emerge info please
$ emerge info Portage 2.0.50-r9 (2004.0, gcc-3.4.2, glibc-2.3.4.20040808-r0, 2.6.9-rc1) ================================================================= System uname: 2.6.9-rc1 i686 Celeron (Coppermine) Gentoo Base System version 1.4.3.12 distcc 2.13 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] Autoconf: sys-devel/autoconf-2.59-r3 Automake: sys-devel/automake-1.8.5-r1 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CFLAGS="-O3 -march=pentium3 -pipe -mmmx -msse -mfpmath=sse,387 -mno-sse2 -mno-3dnow -maccumulate-outgoing-args" CHOST="i686-pc-linux-gnu" COMPILER="" CONFIG_PROTECT="/etc /usr/NX/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.1/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /usr/share/texmf/tex/generic/config /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config /usr/share/texmf/tex/platex/config/ /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O3 -march=pentium3 -pipe -mmmx -msse -mfpmath=sse,387 -mno-sse2 -mno-3dnow -maccumulate-outgoing-args" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache sandbox sfperms" GENTOO_MIRRORS="ftp:///ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://mirror.nutsmaas.nl/gentoo/ http://gentoo.tiscali.nl/gentoo/ http://ftp.ntua.gr/pub/linux/gentoo/ http://ftp.easynet.nl/mirror/gentoo/" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.pl/gentoo-portage" USE="S3TC X aalib acpi acpi4linux activefilter alsa arts artswrappersuid avi bitmap-fonts cdr crypt cups dba divx4linux dnd dvd encode esd flac foomaticdb gcl gd-external gdbm gif gpm gtk2 imlib irda java jce jikes joystick jpeg kadu-modules kde libcaca libg++ libwww linguas_eo linguas_pl lirc live mad matroska mbox mikmod mmx mmx2 monkey motif mozilla mpeg ncurses nls nvidia offensive oggvorbis opengl oss pam pda pdflib perl pic png postgres python qt quicktime readline rtc ruby samba scanner sdk sdl skey slang speex spell src sse ssl stroke tcltk tcpd tetex theora tiff transcode truetype unicode videos x86 xml xml2 xprint xv xvid xvmc zlib"
Created attachment 54121 [details, diff] Add support for creating a PAM session for daemons
Created attachment 54122 [details, diff] Update the makefil to link against pam libraries
Created attachment 54123 [details] /etc/pam.d/start-stop-daemon
I have tested this all on my own server and can succesfully run apache2 as the effective user "apache". There are several issues with rolling this in though. The code uses USE_PAM to enable the PAM code, however the baselayout does not configure itself, and AFAIK PAM is not a required package, so this needs to be dealt with my the ebuild. Simply remove the changes to the Makefile and it should compile like old. For users of the new start-stop-daemon, 99% of the init.d scripts don't disclaim anything about what user the process will be forking into because they don't care. For any given start-stop-daemon startup line, you will have to add "-u <username>" to provide this information. Unless "-c <username>" is already changing into that user before spawning (not likely). If there are any questions, or anything I can do to help refactor this patch to make it more suitable, please comment and I will get back to it.
care to handle this Roy ?
be nice if some PAM peeps could review the code itself too ...
The pamd file is wrong, it hardcodes the module path and that breaks multilib-strict. The linking to pam_misc makes it Linux-PAM dependant, are you sure you need pam_misc? I can't see misc_conv being used and that is usually the only thing needed from that library. The use of pam_limits itself is a bit dubious... I don't really feel like it should be enabled by default.
I like the idea myself, but would only feel happy comitting it when our PAM guys are happy with the patch ..... so make Diego happy (ie implement his requests in comment #9) and I'll wang it in.
Created attachment 74646 [details] /etc/pam.d/start-stop-daemon This version is updated to not use hard-coded paths.
Created attachment 74647 [details, diff] Updated to Makefile to use USE_PAM variable The ebuild needs to conditionally provide USE_PAM="-DUSE_PAM -lpam" to the make. For instance, right now the src_compile step has something like: make -C "${S}"/src CC="$(tc-getCC)" LD="$(tc-getCC) ${LDFLAGS}" \ CFLAGS="${CFLAGS}" || die This needs to become: use pam && USE_PAM="-DUSE_PAM -lpam" make -C "${S}"/src CC="$(tc-getCC)" LD="$(tc-getCC) ${LDFLAGS}" \ CFLAGS="${CFLAGS}" USE_PAM="${USE_PAM}" || die I realize that across the baselayout ebuilds there are several variations of this so I think that not providing a patch is prudent since this is a simple change to make.
(In reply to comment #9) > The use of pam_limits itself is a bit dubious... I don't really feel like it > should be enabled by default. I'm not sure how to address this complaint. The point of enabling pam on start-stop-daemon is to get the pam_limits functionality. I realize that there are lots of people with "pam" as a global use-flag, but I can't see the harm in this change. I'd be happy to address this better, but I don't exactly see what your desired change would be.
As pam_limits seems not to ever "drop off" an user, I'd say to put that optional, to make sure that it does not die when pam_limits is not present. After that, it would be fine for me.
Created attachment 74887 [details] /etc/pam.d/start-stop-daemon (In reply to comment #14) Already I made the change to "optional." I'm not sure what making it "optional" buys you, but I am admittedly ignorant on the subject matter so I am ok with that change. Then if nothing further, I think this solution is ready to be rolled-in now.
OK, I've comitted this to our trunk repo - will appear in the first baselayout-1.13 release.
baselayout-1.13.0_alpha1 has this in, so fixed :) alpha2 will work with OpenPAM for BSD's too, but we've disabled the use flag as the limits module is currently not working.