On 2012-09-10 14:50, Oswald Buddenhagen wrote:
> sudo apparently sets the wrong requesting user (which is just the real
> uid of the process, iirc) when calling the pam stack, which breaks at
> least pam_xauth.
I started looking through the code but then realized the problem is
irreconcilable design choices between sudo and pam_xauth (I don't know
how I missed this previously):
pam_xauth(8) says:
pam_xauth will work only if it is used from a setuid application in
which the getuid() call returns the id of the user running the
application [...]
and sudo(8) says:
The real and effective uid and gid are set to match those of the
target user [...]
So either one would have to change sudo to set the (just the) RUID after
passing through the PAM stack, or pam_xauth to rely on something else
than the RUID.
Incidentally, both sudo and su set PAM_RUSER to the requesting user,
which pam_xauth could use, but there are probably a few security issues
to consider. I'll ask the PAM devel list about that.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
