Provided by: lcmaps-plugins-basic-posixenf_1.6.1-3_i386 bug

NAME

       lcmaps_posix_enf.mod - LCMAPS plugin to switch user identity

SYNOPSIS

       lcmaps_posix_enf.mod  [-maxuid  number  of  uids]  [-maxpgid  number of
       primary gids] [-maxsgid number of secondary gids]

DESCRIPTION

       The  Posix  Enforcement  plugin  will  enforce  (apply)  the   gathered
       credentials  that  are  stacked  in  the  datastructure  of  the Plugin
       Manager.  The plugin  will  get  the  credential  information  that  is
       gathered by one or more Acquisition plugins. This implies that at least
       one Acquisition should have been run prior to this Enforcement.  All of
       the  gathered  information will be checked by looking into the 'passwd'
       file of the system (FIXME:  shouldn't  that  be  getpwent(2)?).   These
       files have information about all registered system account and its user
       groups.

       The Posix Enforcement plugin  does  not  check  whether  the  secondary
       groups  have  the  primary UID as a member, so it is possible to end up
       with more group memberships than what is defined in the group database.

       The (BSD/POSIX) functions setreuid(2), setregid(2) and setgroups(2) are
       used  to  change  the  privileges of the process from root to that of a
       local user.

OPTIONS

       -maxuid number of uids
              In principle, this will set the maximum number of  allowed  UIDs
              that  this  plugin will handle, but at the moment only the first
              UID found will be  enforced;  the  others  will  discarded.   By
              setting  the  value  to a maximum there will be a failure raised
              when the amount of UIDs exceed the  set  maximum.  Without  this
              value  the  plugin will continue and will enforce only the first
              found value in the credential data structure.

       -maxpgid number of primary gids
              This will set the maximum number of allowed  Primary  GIDs  that
              this plugin will handle, similar to -maxuid.  Also here only the
              first primary GID found will be taken into account.

       -maxsgid number of secondary gids
              This will set the  maximum  allowed  Secondary  GIDs  that  this
              plugin  will  handle.   This  number  is  limited  by the system
              (NGROUPS) and is usually 32. If the plugin cannot determine  the
              system value, it limits itself to 32.

       The  remaining  options  are  considered  dangerous,  as  they have the
       potential to allow a client process to gain root privileges.   The  use
       of these options is strongly discouraged.

       -set_only_euid {yes|no}
              The  result  of  setting  this  option to 'yes' is that only the
              effective uid is set.  In other words, it is still  possible  to
              regain   root   (uid)  privileges  for  the  process.   This  is
              definitely undesirable if this module is  used  from  a  process
              like the gatekeeper, since it would be possible for user jobs to
              get root privileges.

       -set_only_egid {yes|no}
              Analogue to the previous  option  the  result  of  setting  this
              option to 'yes' is that only the effective (primary) gid is set.
              In other words, it  is  still  possible  to  regain  root  (gid)
              privileges  for  the process.  This is definitely undesirable if
              this module is used from a process like the gatekeeper, since it
              would be possible for user jobs to get root privileges. Possibly
              this option should be set if the  module  is  used  by  gridFTP,
              since  this  service  does not spawn user jobs and has to regain
              root pivileges at the end.

RETURN VALUES

       LCMAPS_MOD_SUCCESS
              Success.

       LCMAPS_MOD_FAIL
              Failure.

BUGS

       Please report any errors to the Nikhef Grid  Middleware  Security  Team
       <grid-mw-security-support@nikhef.nl>.

SEE ALSO

       lcmaps.db(5),   lcmaps(3),   getpwent(3),   getgrent(3),   setreuid(2),
       setregid(2), setgroups(2).

AUTHORS

       LCMAPS and the LCMAPS plug-ins were  written  by  the  Grid  Middleware
       Security Team <grid-mw-security@nikhef.nl>.

                                March 22, 2011             LCMAPS_POSIX_ENF(8)