tech-security: Re: Irritation with shutdown(8) and postgress rc.d script

Subject: Re: Irritation with shutdown(8) and postgress rc.d script
To: Bill Stouder-Studenmund <wrstuden@NetBSD.org>
From: SODA Noriyuki <soda@sra.co.jp>
List: tech-security
Date: 03/13/2007 15:12:01

>>>>> On Mon, 12 Mar 2007 21:41:28 -0800,
      Bill Stouder-Studenmund <wrstuden@NetBSD.org> said:

> Options:

> 1) Make pam_rootok check effective too.

At least this isn't a valid option, as John Nemeth talked at the
private talk, because:

1. It breaks compatibility with old NetBSD su which didn't use PAM.
  (Old NetBSD su checked real id too.)
2. It breaks compatibility with every other PAM implementations,
  including FreeBSD, linux, and so on...
  Using same name (pam_rootok) for different functionality (real id vs
  effective id) is not what users expect.
3. This may introduce security problems (think about third party
  applications which use pam_rootok in its configuration).

> 3) Make shutdown set its real id to root as well.

I think this is the way to go.
The shutdown hooks should be executed with real id == 0, just like
"su root -c <command>", I guess.
-- 
soda