SYNOPSIS
lcmaps_posix_enf.mod [-maxuid|-MAXUID <number of uids>] [-maxpgid|-MAXPGID <number of primary gids>] [-maxsgid|-MAXSGID <number of secondary gids>]
The Posix Enforcement plugin will enforce (apply) the gathered credentials that are stacked in the datastructure of the Plugin Manager. The plugin will get the credential information that is gathered by one or more Acquisition plugins. This implies that at least one Acquisition should have been run prior to this Enforcement. All of the gathered information will be checked by looking into the 'passwd' file of the system. These files have information about all registered system account and its user groups.
The Posix Enforcent plugin does not validate the secondary GIDs. It does check the existance of the GID and the UID. They must exist although it is not needed that the GID and UID are a pair of each other.
The (BSD/POSIX) functions setreuid(), setregid() and setgroups() are used to change the privileges of the process from root to that of a local user.
OPTIONS
-MAXUID <number of uids>
See -maxuid
-maxuid <number of uids>
In principle, this will set the maximum number of allowed UIDs that this plugin will handle, but at the moment only the first UID found will be enforced; the others will discarded. By setting the value to a maximum there will be a failure raised when the amount of UIDs exceed the set maximum. Without this value the plugin will continue and will enforce only the first found value in the credential data structure.
-MAXPGID <number of primary gids>
See -maxpgid
-maxpgid <number of primary gids>
This will set the maximum number of allowed Primary GIDs that this plugin will handle, similar to -maxuid. Also here only the first primary GID found will be taken into account.
-MAXSGID <number of secondary gids>
See -maxsgid
-maxsgid <number of secondary gids>
This will set the maximum allowed Secondary GIDs that this plugin will handle. This number is limited by the system (NGROUPS) and is usually 32. If the plugin cannot determine the system value, it limits itself to 32.
-set_only_euid [yes|no]
The result of setting this option to 'yes' is that only the effective uid is set. In other words, it is still possible to regain root (uid) privileges for the process. This is definitely undesirable if this module is used from a process like the gatekeeper, since it would be possible for user jobs to get root privileges ! THIS IS A DANGEROUS OPTION, PLEASE KNOW WHAT YOU'RE DOING ! By default, this option is set to 'no'. Possibly this option should be set if the module is used by gridFTP, since this service does not spawn user jobs and has to regain root pivileges at the end.
-set_only_egid [yes|no]
Analogue to the previous option the result of setting this option to 'yes' is that only the effective (primary) gid is set. In other words, it is still possible to regain root (gid) privileges for the process. This is definitely undesirable if this module is used from a process like the gatekeeper, since it would be possible for user jobs to get root privileges ! THIS IS A DANGEROUS OPTION, PLEASE KNOW WHAT YOU'RE DOING ! By default, this option is set to 'no'. Possibly this option should be set if the module is used by gridFTP, since this service does not spawn user jobs and has to regain root pivileges at the end.
SEE ALSO
lcmaps_localaccount.mod, lcmaps_poolaccount.mod, lcmaps_ldap_enf.mod, lcmaps_voms.mod, lcmaps_voms_poolaccount.mod, lcmaps_voms_poolgroup.mod, lcmaps_voms_localgroup.mod
1.2.8.1 written by Dimitri van Heesch,
© 1997-2001