NAME¶
lcmaps_posix_enf.mod - LCMAPS plugin to switch user identity
SYNOPSIS¶
lcmaps_posix_enf.mod [
-maxuid number of uids]
[
-maxpgid number of primary gids] [
-maxsgid number of
secondary gids]
DESCRIPTION¶
The Posix Enforcement plugin will enforce (apply) the gathered credentials that
are stacked in the datastructure of the Plugin Manager. The plugin will get
the credential information that is gathered by one or more Acquisition
plugins. This implies that at least one Acquisition should have been run prior
to this Enforcement. All of the gathered information will be checked by
looking into the 'passwd' file of the system (FIXME: shouldn't that be
getpwent(2)?). These files have information about all registered system
account and its user groups.
The Posix Enforcement plugin does not check whether the secondary groups have
the primary UID as a member, so it is possible to end up with more group
memberships than what is defined in the group database.
The (BSD/POSIX) functions
setreuid(2),
setregid(2) and
setgroups(2) are used to change the privileges of the process from root
to that of a local user.
OPTIONS¶
- -maxuid number of uids
- In principle, this will set the maximum number of allowed UIDs that this
plugin will handle, but at the moment only the first UID found will be
enforced; the others will discarded. By setting the value to a maximum
there will be a failure raised when the amount of UIDs exceed the set
maximum. Without this value the plugin will continue and will enforce only
the first found value in the credential data structure.
- -maxpgid number of primary gids
- This will set the maximum number of allowed Primary GIDs that this plugin
will handle, similar to -maxuid. Also here only the first primary
GID found will be taken into account.
- -maxsgid number of secondary gids
- This will set the maximum allowed Secondary GIDs that this plugin will
handle. This number is limited by the system (NGROUPS) and is usually 32.
If the plugin cannot determine the system value, it limits itself to
32.
The remaining options are considered dangerous, as they have the potential to
allow a client process to gain root privileges.
The use of these options is
strongly discouraged.
- -set_only_euid {yes|no}
- The result of setting this option to 'yes' is that only the effective uid
is set. In other words, it is still possible to regain root (uid)
privileges for the process. This is definitely undesirable if this module
is used from a process like the gatekeeper, since it would be possible for
user jobs to get root privileges.
- -set_only_egid {yes|no}
- Analogue to the previous option the result of setting this option to 'yes'
is that only the effective (primary) gid is set. In other words, it is
still possible to regain root (gid) privileges for the process. This is
definitely undesirable if this module is used from a process like the
gatekeeper, since it would be possible for user jobs to get root
privileges. Possibly this option should be set if the module is used by
gridFTP, since this service does not spawn user jobs and has to regain
root pivileges at the end.
RETURN VALUES¶
- LCMAPS_MOD_SUCCESS
- Success.
- LCMAPS_MOD_FAIL
- Failure.
BUGS¶
Please report any errors to the Nikhef Grid Middleware Security Team
<grid-mw-security-support@nikhef.nl>.
SEE ALSO¶
lcmaps.db(5),
lcmaps(3),
getpwent(3),
getgrent(3),
setreuid(2),
setregid(2),
setgroups(2).
AUTHORS¶
LCMAPS and the LCMAPS plug-ins were written by the Grid Middleware Security Team
<grid-mw-security@nikhef.nl>.