tokkee
commented
10 years ago Looks mostly good to me except for the minor comments.
Would it make sense to filter / whitelist the environment variables in the helper?
Closed vonhollen closed 10 years ago
tokkee
commented
10 years ago Looks mostly good to me except for the minor comments.
Would it make sense to filter / whitelist the environment variables in the helper?
vonhollen
commented
10 years ago Thanks! I made the edits you requested, and added two more things. The helper will now call setuid/setgid(0) after recording getuid/getgid to make pam_krb5 happy, and pam_setcred will always be called after pam_authenticate.
For filtering the environment, it's less clear than pam_set_item which must always be whitelisted. I think passing it all through is the right thing to do, and if some common modules have vulnerabilities then we can fix it then. The nice thing is that the user can't just run arbitrary modules so the attack surface is reduced, and it never affects the actual process's environment.
These changes pass variables from pam_getenvlist in pam_escalate.so to pam-escalate-helper in the start message and do the reverse in the finish message. That will let us pass things like KRB5CCNAME in the user's environment to pam_krb5.so running inside pam-escalate-helper so the user's Kerberos creds are refreshed on screen unlock.