lcmaps_posix_enf.mod

LCMAPS_POSIX_ENF(8)         System Manager's Manual        LCMAPS_POSIX_ENF(8)



NAME
       lcmaps_posix_enf.mod - LCMAPS plugin to switch user identity

SYNOPSIS
       lcmaps_posix_enf.mod [-maxuid number of uids] [-maxpgid number of
       primary gids] [-maxsgid number of secondary gids]


DESCRIPTION
       The Posix Enforcement plugin will enforce (apply) the gathered
       credentials that are stacked in the datastructure of the Plugin
       Manager.  The plugin will get the credential information that is
       gathered by one or more Acquisition plugins. This implies that at least
       one Acquisition should have been run prior to this Enforcement.  All of
       the gathered information will be checked by looking into the 'passwd'
       file of the system (FIXME: shouldn't that be getpwent(2)?).  These
       files have information about all registered system account and its user
       groups.

       The Posix Enforcement plugin does not check whether the secondary
       groups have the primary UID as a member, so it is possible to end up
       with more group memberships than what is defined in the group database.

       The (BSD/POSIX) functions setreuid(2), setregid(2) and setgroups(2) are
       used to change the privileges of the process from root to that of a
       local user.


OPTIONS
       -maxuid number of uids
              In principle, this will set the maximum number of allowed UIDs
              that this plugin will handle, but at the moment only the first
              UID found will be enforced; the others will discarded.  By
              setting the value to a maximum there will be a failure raised
              when the amount of UIDs exceed the set maximum. Without this
              value the plugin will continue and will enforce only the first
              found value in the credential data structure.

       -maxpgid number of primary gids
              This will set the maximum number of allowed Primary GIDs that
              this plugin will handle, similar to -maxuid.  Also here only the
              first primary GID found will be taken into account.

       -maxsgid number of secondary gids
              This will set the maximum allowed Secondary GIDs that this
              plugin will handle.  This number is limited by the system
              (NGROUPS) and is usually 32. If the plugin cannot determine the
              system value, it limits itself to 32.

       The remaining options are considered dangerous, as they have the
       potential to allow a client process to gain root privileges.  The use
       of these options is strongly discouraged.

       -set_only_euid {yes|no}
              The result of setting this option to 'yes' is that only the
              effective uid is set.  In other words, it is still possible to
              regain root (uid) privileges for the process.  This is
              definitely undesirable if this module is used from a process
              like the gatekeeper, since it would be possible for user jobs to
              get root privileges.

       -set_only_egid {yes|no}
              Analogue to the previous option the result of setting this
              option to 'yes' is that only the effective (primary) gid is set.
              In other words, it is still possible to regain root (gid)
              privileges for the process.  This is definitely undesirable if
              this module is used from a process like the gatekeeper, since it
              would be possible for user jobs to get root privileges. Possibly
              this option should be set if the module is used by gridFTP,
              since this service does not spawn user jobs and has to regain
              root pivileges at the end.


RETURN VALUES
       LCMAPS_MOD_SUCCESS
              Success.

       LCMAPS_MOD_FAIL
              Failure.


BUGS
       Please report any errors to the Nikhef Grid Middleware Security Team
       <grid-mw-security-support@nikhef.nl>.

SEE ALSO
       lcmaps.db(5), lcmaps(3), getpwent(3), getgrent(3), setreuid(2),
       setregid(2), setgroups(2).

AUTHORS
       LCMAPS and the LCMAPS plug-ins were written by the Grid Middleware
       Security Team <grid-mw-security@nikhef.nl>.



                                March 22, 2011             LCMAPS_POSIX_ENF(8)