LCMAPS_POSIX_ENF(8) | System Manager's Manual | LCMAPS_POSIX_ENF(8) |
lcmaps_posix_enf.mod - LCMAPS plugin to switch user identity
lcmaps_posix_enf.mod [-maxuid number of uids] [-maxpgid number of primary gids] [-maxsgid number of secondary gids]
The Posix Enforcement plugin will enforce (apply) the gathered credentials that are stacked in the datastructure of the Plugin Manager. The plugin will get the credential information that is gathered by one or more Acquisition plugins. This implies that at least one Acquisition should have been run prior to this Enforcement. All of the gathered information will be checked by looking into the 'passwd' file of the system (FIXME: shouldn't that be getpwent(2)?). These files have information about all registered system account and its user groups.
The Posix Enforcement plugin does not check whether the secondary groups have the primary UID as a member, so it is possible to end up with more group memberships than what is defined in the group database.
The (BSD/POSIX) functions setreuid(2), setregid(2) and setgroups(2) are used to change the privileges of the process from root to that of a local user.
The remaining options are considered dangerous, as they have the potential to allow a client process to gain root privileges. The use of these options is strongly discouraged.
Please report any errors to the Nikhef Grid Middleware Security Team <grid-mw-security-support@nikhef.nl>.
lcmaps.db(5), lcmaps(3), getpwent(3), getgrent(3), setreuid(2), setregid(2), setgroups(2).
LCMAPS and the LCMAPS plug-ins were written by the Grid Middleware Security Team <grid-mw-security@nikhef.nl>.
March 22, 2011 |