c – Permission problems in the setuid-root program

I wrote a program, compiled it, copied it to / usr / local / bin / and gave it setuid-root file permission.

Unfortunately, I can not run the program as desired due to permissions issues: it works fine when I call it as an unprivileged user from the command line, but it generates errors when I call it as an unprivileged user. PAM module user pam_exec – and that's how I want to use it at the end.

Until now, I had the following differences between the call from the command line and the call since pam_exec:

  1. When I do not give the program permission to the setuid-root file, but instead gives it the cap_setuid Linux capability, it works from the command line, but with pam_exec, the program is not running at all, with the error "Operation not allowed".

  2. For a later execution of the program, not only the effective UID, but also the real UID must be 0. On the command line, this works when I use setuid (0) in the program code, but with pam_exec, setuid (0) fails. to change the real UID and I have to use setreuid (0,0) instead.

  3. Although the real and effective UIDs are equal to 0, errors of the type "Permission denied" and "Operation prohibited" are always present when the program is called from pam_exec. First of all, this happened when running the lvcreate external command from my setuid-root program, and after solving this problem by using library calls instead. lvm dbus, I even received an "unauthorized operation" when running a simple chown () in a directory the local file system. Of course, all of this works perfectly when I run my program from the command line.

Any idea of ​​the possible reasons why a program with setuid-root file permission (or a program with special Linux features), when called by a non-privileged user of the pam_exec PAM module, very different from the one called by a non privileged user of the command line? Or how is it possible that errors "Operation not allowed" and "Permission denied" occur although getuid () and geteuid () have the value 0?

cordially
Christoph