PBM: $TMP directory inaccessible with LXDM and PAM/mktemp

[VinzC]

Hi all.

Today I wanted to provide secure TMP directories to my user accounts hence enabled PAM "mktemp" use flag. To my surprise $TMP contains /tmp/.private/nobody regardless of who opens an LXDE session .

[VinzC]

Looks like there's a currently in-process bug about this.
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
GNU/Linux user #369763
“Wow! I feel root”

[kimmie]

FYI, pam with USE=mktemp doesn't play well with samba either: https://bugzilla.samba.org/show_bug.cgi?id=5987

[VinzC]

Yeah, sounds so. I just wonder why this "nobody" thing and what «[...] when the user is switched
during authentication» is supposed to mean.
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
GNU/Linux user #369763
“Wow! I feel root”

[kimmie]

The smbd daemon runs as root. When a connection occurs it creates a private tmp directory with uid of nobody, and spawns a process to handle the session which uses that tempory directory as it's current directory. The session process then switches to the uid of the connected user, after which it can no longer access its own current directory. Kaboom!

[VinzC]

Hmmm... it then means LXDM runs that way too or uses such a mechanism, right? Anyway this user switching that is said PAM doesn't like rather means pam_mktemp doesn't like it if I've gotten it right. Also it looks questionable to me as to switching to user nobody beforehand because it might happen that concurrent authentications do clash; I might be wrong of course since I'm no PAM specialist.
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
GNU/Linux user #369763
“Wow! I feel root”

[kimmie]

I'm not sure what happens where, but yeah, it looks like both LXDM and samba have similar issues with pam_mktemp.