Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 64700 - start-stop-daemon doesn't use pam
Summary: start-stop-daemon doesn't use pam
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] baselayout (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo's Team for Core System packages
Keywords: InVCS
Depends on:
Reported: 2004-09-19 17:40 UTC by Rafal Rzepecki
Modified: 2006-10-16 06:22 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Add support for creating a PAM session for daemons (start-stop-daemon.patch,5.25 KB, patch)
2005-03-21 17:33 UTC, Scott Dial
Details | Diff
Update the makefil to link against pam libraries (Makefile.patch,530 bytes, patch)
2005-03-21 17:35 UTC, Scott Dial
Details | Diff
/etc/pam.d/start-stop-daemon (start-stop-daemon,193 bytes, text/plain)
2005-03-21 17:36 UTC, Scott Dial
/etc/pam.d/start-stop-daemon (start-stop-daemon,136 bytes, text/plain)
2005-12-13 07:47 UTC, Scott Dial
Updated to Makefile to use USE_PAM variable (Makefile.patch,505 bytes, patch)
2005-12-13 07:58 UTC, Scott Dial
Details | Diff
/etc/pam.d/start-stop-daemon (start-stop-daemon,136 bytes, text/plain)
2005-12-16 08:28 UTC, Scott Dial

Note You need to log in before you can comment on or make changes to this bug.
Description Rafal Rzepecki 2004-09-19 17:40:13 UTC
start-stop-daemon doesn't use pam. This makes it
unable to peruse, for example, pam_limits. I also have this gut feeling that it might also be a security hole in an otherwise pam-enabled system, although I haven't found a way to exploit it (yet).

Actually the reason I have found this deficiency is that I have been looking for a way to limit my mldonkey's memory usage; but no limits files are in effect if pam is bypassed (as pam_limits session module is what imposes limits). Had start-stop-daemon been a shell script using su or sudo, it would use pam automagically.

I imagine it's easy to enable pam without recoding the whole thing by just execing su or sudo internally. Alas, I'm not sure if the wouldn't be any security problems resulting from this approach.
Comment 1 solar (RETIRED) gentoo-dev 2004-09-19 21:44:45 UTC
emerge info please
Comment 2 Rafal Rzepecki 2004-09-20 01:04:10 UTC
$ emerge info
Portage 2.0.50-r9 (2004.0, gcc-3.4.2, glibc-, 2.6.9-rc1)
System uname: 2.6.9-rc1 i686 Celeron (Coppermine)
Gentoo Base System version
distcc 2.13 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
Autoconf: sys-devel/autoconf-2.59-r3
Automake: sys-devel/automake-1.8.5-r1
CFLAGS="-O3 -march=pentium3 -pipe -mmmx -msse -mfpmath=sse,387 -mno-sse2 -mno-3dnow -maccumulate-outgoing-args"
CONFIG_PROTECT="/etc /usr/NX/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.1/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /usr/share/texmf/tex/generic/config /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config /usr/share/texmf/tex/platex/config/ /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O3 -march=pentium3 -pipe -mmmx -msse -mfpmath=sse,387 -mno-sse2 -mno-3dnow -maccumulate-outgoing-args"
FEATURES="autoaddcvs ccache sandbox sfperms"
USE="S3TC X aalib acpi acpi4linux activefilter alsa arts artswrappersuid avi bitmap-fonts cdr crypt cups dba divx4linux dnd dvd encode esd flac foomaticdb gcl gd-external gdbm gif gpm gtk2 imlib irda java jce jikes joystick jpeg kadu-modules kde libcaca libg++ libwww linguas_eo linguas_pl lirc live mad matroska mbox mikmod mmx mmx2 monkey motif mozilla mpeg ncurses nls nvidia offensive oggvorbis opengl oss pam pda pdflib perl pic png postgres python qt quicktime readline rtc ruby samba scanner sdk sdl skey slang speex spell src sse ssl stroke tcltk tcpd tetex theora tiff transcode truetype unicode videos x86 xml xml2 xprint xv xvid xvmc zlib"
Comment 3 Scott Dial 2005-03-21 17:33:25 UTC
Created attachment 54121 [details, diff]
Add support for creating a PAM session for daemons
Comment 4 Scott Dial 2005-03-21 17:35:20 UTC
Created attachment 54122 [details, diff]
Update the makefil to link against pam libraries
Comment 5 Scott Dial 2005-03-21 17:36:26 UTC
Created attachment 54123 [details]
Comment 6 Scott Dial 2005-03-21 17:42:02 UTC
I have tested this all on my own server and can succesfully run apache2 as the effective user "apache". There are several issues with rolling this in though. The code uses USE_PAM to enable the PAM code, however the baselayout does not configure itself, and AFAIK PAM is not a required package, so this needs to be dealt with my the ebuild. Simply remove the changes to the Makefile and it should compile like old.

For users of the new start-stop-daemon, 99% of the init.d scripts don't disclaim anything about what user the process will be forking into because they don't care. For any given start-stop-daemon startup line, you will have to add "-u <username>" to provide this information. Unless "-c <username>" is already changing into that user before spawning (not likely).

If there are any questions, or anything I can do to help refactor this patch to make it more suitable, please comment and I will get back to it.
Comment 7 SpanKY gentoo-dev 2005-11-20 04:04:39 UTC
care to handle this Roy ?
Comment 8 SpanKY gentoo-dev 2005-11-20 04:04:58 UTC
be nice if some PAM peeps could review the code itself too ...
Comment 9 Diego Elio Pettenò (RETIRED) gentoo-dev 2005-11-20 04:20:55 UTC
The pamd file is wrong, it hardcodes the module path and that breaks  
The linking to pam_misc makes it Linux-PAM dependant, are you sure you need  
pam_misc? I can't see misc_conv being used and that is usually the only thing  
needed from that library.  
The use of pam_limits itself is a bit dubious... I don't really feel like it  
should be enabled by default. 
Comment 10 Roy Marples (RETIRED) gentoo-dev 2005-11-28 06:50:32 UTC
I like the idea myself, but would only feel happy comitting it when our PAM guys
are happy with the patch ..... so make Diego happy (ie implement his requests in
comment #9) and I'll wang it in.
Comment 11 Scott Dial 2005-12-13 07:47:01 UTC
Created attachment 74646 [details]

This version is updated to not use hard-coded paths.
Comment 12 Scott Dial 2005-12-13 07:58:12 UTC
Created attachment 74647 [details, diff]
Updated to Makefile to use USE_PAM variable

The ebuild needs to conditionally provide USE_PAM="-DUSE_PAM -lpam" to the

For instance, right now the src_compile step has something like:
	make -C "${S}"/src CC="$(tc-getCC)" LD="$(tc-getCC) ${LDFLAGS}" \
		CFLAGS="${CFLAGS}" || die

This needs to become:
	use pam && USE_PAM="-DUSE_PAM -lpam"
	make -C "${S}"/src CC="$(tc-getCC)" LD="$(tc-getCC) ${LDFLAGS}" \
		CFLAGS="${CFLAGS}" USE_PAM="${USE_PAM}" || die

I realize that across the baselayout ebuilds there are several variations of
this so I think that not providing a patch is prudent since this is a simple
change to make.
Comment 13 Scott Dial 2005-12-13 08:07:45 UTC
(In reply to comment #9)
> The use of pam_limits itself is a bit dubious... I don't really feel like it  
> should be enabled by default. 

I'm not sure how to address this complaint. The point of enabling pam on
start-stop-daemon is to get the pam_limits functionality. I realize that there
are lots of people with "pam" as a global use-flag, but I can't see the harm in
this change. I'd be happy to address this better, but I don't exactly see what
your desired change would be.
Comment 14 Diego Elio Pettenò (RETIRED) gentoo-dev 2005-12-16 07:43:23 UTC
As pam_limits seems not to ever "drop off" an user, I'd say to put that 
optional, to make sure that it does not die when pam_limits is not present. 
After that, it would be fine for me. 
Comment 15 Scott Dial 2005-12-16 08:28:42 UTC
Created attachment 74887 [details]

(In reply to comment #14)

Already I made the change to "optional." I'm not sure what making it "optional"
buys you, but I am admittedly ignorant on the subject matter so I am ok with
that change.

Then if nothing further, I think this solution is ready to be rolled-in now.
Comment 16 Roy Marples (RETIRED) gentoo-dev 2006-06-06 05:01:12 UTC
OK, I've comitted this to our trunk repo - will appear in the first baselayout-1.13 release.
Comment 17 Roy Marples (RETIRED) gentoo-dev 2006-10-16 06:22:15 UTC
baselayout-1.13.0_alpha1 has this in, so fixed :)

alpha2 will work with OpenPAM for BSD's too, but we've disabled the use flag as the limits module is currently not working.