Provided by: lcmaps-plugins-basic-posixenf_1.7.1-1_amd64 
NAME
lcmaps_posix_enf.mod - LCMAPS plugin to switch user identity
SYNOPSIS
lcmaps_posix_enf.mod [-maxuid number of uids] [-maxpgid number of primary gids] [-maxsgid number of
secondary gids]
DESCRIPTION
The Posix Enforcement plugin will enforce (apply) the gathered credentials that are stacked in the
datastructure of the Plugin Manager. The plugin will get the credential information that is gathered by
one or more Acquisition plugins. This implies that at least one Acquisition should have been run prior to
this Enforcement. All of the gathered information will be checked by looking into the 'passwd' file of
the system (FIXME: shouldn't that be getpwent(2)?). These files have information about all registered
system account and its user groups.
The Posix Enforcement plugin does not check whether the secondary groups have the primary UID as a
member, so it is possible to end up with more group memberships than what is defined in the group
database.
The (BSD/POSIX) functions setreuid(2), setregid(2) and setgroups(2) are used to change the privileges of
the process from root to that of a local user.
OPTIONS
-maxuid number of uids
In principle, this will set the maximum number of allowed UIDs that this plugin will handle, but
at the moment only the first UID found will be enforced; the others will discarded. By setting
the value to a maximum there will be a failure raised when the amount of UIDs exceed the set
maximum. Without this value the plugin will continue and will enforce only the first found value
in the credential data structure.
-maxpgid number of primary gids
This will set the maximum number of allowed Primary GIDs that this plugin will handle, similar to
-maxuid. Also here only the first primary GID found will be taken into account.
-maxsgid number of secondary gids
This will set the maximum allowed Secondary GIDs that this plugin will handle. This number is
limited by the system (NGROUPS) and is usually 32. If the plugin cannot determine the system
value, it limits itself to 32.
The remaining options are considered dangerous, as they have the potential to allow a client process to
gain root privileges. The use of these options is strongly discouraged.
-set_only_euid {yes|no}
The result of setting this option to 'yes' is that only the effective uid is set. In other words,
it is still possible to regain root (uid) privileges for the process. This is definitely
undesirable if this module is used from a process like the gatekeeper, since it would be possible
for user jobs to get root privileges.
-set_only_egid {yes|no}
Analogue to the previous option the result of setting this option to 'yes' is that only the
effective (primary) gid is set. In other words, it is still possible to regain root (gid)
privileges for the process. This is definitely undesirable if this module is used from a process
like the gatekeeper, since it would be possible for user jobs to get root privileges. Possibly
this option should be set if the module is used by gridFTP, since this service does not spawn user
jobs and has to regain root pivileges at the end.
RETURN VALUES
LCMAPS_MOD_SUCCESS
Success.
LCMAPS_MOD_FAIL
Failure.
BUGS
Please report any errors to the Nikhef Grid Middleware Security Team <grid-mw-security-
support@nikhef.nl>.
SEE ALSO
lcmaps.db(5), lcmaps(3), getpwent(3), getgrent(3), setreuid(2), setregid(2), setgroups(2).
AUTHORS
LCMAPS and the LCMAPS plug-ins were written by the Grid Middleware Security Team <grid-mw-
security@nikhef.nl>.
March 22, 2011 LCMAPS_POSIX_ENF(8)