> Consider this python sample and assume it’s automatically being run at logon f... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		hulitu on May 26, 2023 \| parent \| context \| favorite \| on: Don't abuse su for dropping user privileges (2015) > Consider this python sample and assume it’s automatically being run at logon from the .bashrc of a technical account, such as postgres, to which the root user changes by typing su - postgres From su man page: "su is mostly designed for unprivileged users, the recommended solution for privileged users (e.g., scripts executed by root) is to use non-set-user-ID command runuser(1) that does not require authentication and provides separate PAM configuration. If the PAM session is not required at all then the recommended solution is to use command setpriv(1)."

erik_seaberg on May 27, 2023 [–]

Why does PAM have sessions? I thought it was a layer of indirection over whether you’re using a password file or NIS or LDAP to verify passwords.

yrro on May 28, 2023 | [–]

PAM provides authentication, authorization, session management and password changing.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact