oracular (8) lcmaps_posix_enf.mod.8.gz

Provided by: lcmaps-plugins-basic-posixenf_1.7.1-1ubuntu2_amd64 bug

NAME

       lcmaps_posix_enf.mod - LCMAPS plugin to switch user identity

SYNOPSIS

       lcmaps_posix_enf.mod  [-maxuid number of uids] [-maxpgid number of primary gids] [-maxsgid
       number of secondary gids]

DESCRIPTION

       The Posix Enforcement plugin will  enforce  (apply)  the  gathered  credentials  that  are
       stacked  in  the  datastructure of the Plugin Manager.  The plugin will get the credential
       information that is gathered by one or more Acquisition  plugins.  This  implies  that  at
       least one Acquisition should have been run prior to this Enforcement.  All of the gathered
       information will be checked by looking into  the  'passwd'  file  of  the  system  (FIXME:
       shouldn't that be getpwent(2)?).  These files have information about all registered system
       account and its user groups.

       The Posix Enforcement plugin does not check whether the secondary groups have the  primary
       UID  as  a  member,  so  it is possible to end up with more group memberships than what is
       defined in the group database.

       The (BSD/POSIX) functions setreuid(2), setregid(2) and setgroups(2) are used to change the
       privileges of the process from root to that of a local user.

OPTIONS

       -maxuid number of uids
              In  principle,  this  will  set the maximum number of allowed UIDs that this plugin
              will handle, but at the moment only the first  UID  found  will  be  enforced;  the
              others  will  discarded.  By setting the value to a maximum there will be a failure
              raised when the amount of UIDs exceed the  set  maximum.  Without  this  value  the
              plugin  will continue and will enforce only the first found value in the credential
              data structure.

       -maxpgid number of primary gids
              This will set the maximum number of allowed Primary  GIDs  that  this  plugin  will
              handle,  similar  to  -maxuid.   Also here only the first primary GID found will be
              taken into account.

       -maxsgid number of secondary gids
              This will set the maximum allowed Secondary GIDs  that  this  plugin  will  handle.
              This  number  is  limited  by the system (NGROUPS) and is usually 32. If the plugin
              cannot determine the system value, it limits itself to 32.

       The remaining options are considered dangerous, as they have  the  potential  to  allow  a
       client process to gain root privileges.  The use of these options is strongly discouraged.

       -set_only_euid {yes|no}
              The  result  of setting this option to 'yes' is that only the effective uid is set.
              In other words, it is still possible  to  regain  root  (uid)  privileges  for  the
              process.  This is definitely undesirable if this module is used from a process like
              the gatekeeper, since it would be possible for user jobs to get root privileges.

       -set_only_egid {yes|no}
              Analogue to the previous option the result of setting this option to 'yes' is  that
              only  the  effective (primary) gid is set.  In other words, it is still possible to
              regain root (gid) privileges for the process.  This is  definitely  undesirable  if
              this  module is used from a process like the gatekeeper, since it would be possible
              for user jobs to get root privileges. Possibly this option should  be  set  if  the
              module  is  used by gridFTP, since this service does not spawn user jobs and has to
              regain root pivileges at the end.

RETURN VALUES

       LCMAPS_MOD_SUCCESS
              Success.

       LCMAPS_MOD_FAIL
              Failure.

BUGS

       Please report any errors to the Nikhef Grid Middleware  Security  Team  <grid-mw-security-
       support@nikhef.nl>.

SEE ALSO

       lcmaps.db(5), lcmaps(3), getpwent(3), getgrent(3), setreuid(2), setregid(2), setgroups(2).

AUTHORS

       LCMAPS and the LCMAPS plug-ins were written by the Grid Middleware Security Team <grid-mw-
       security@nikhef.nl>.

                                          March 22, 2011                      LCMAPS_POSIX_ENF(8)