For teaching purposes, I need to create a server/client application in C, running on OS like Ubuntu. The client has to check whether if a specific user exists on the server, so the server (run maybe as user nobody) has to validate the combination of username/password, then if the login is successful the newly authenticated user can create files on his behalf, i.e. even if the server is run as user nobody, when userA logins and then decides to create a file, then the file has to be owned by userA.
So my questions are:
I'm getting lost in the PAM world as I'm not very experienced
Yes, it seems a good idea to use PAM for that. At least it would be a terribly bad idea to reinvent the wheel. That always a bad idea to reinvent the wheel anyway, but that is especially bad about authentication.
PAM is only about authentication. It doesn't provide anything to give user any special power after they are authenticated.
For example, it doesn't allow to write files with the permissions associated with the user. All it does is allowing you, if I may say it so, to hijack the login authentication that exist in linux (the one that allows a user to login in in the console) to your own profit: using the login/password db (/etc/password, /etc/shadow, etc.), prompting the user in a safe way to type in their password, and verify it in a safe way, etc.
See it as a library that can read /etc/password for you.
And, with that session stuff, that can also handle authentication tokens, so that even other codes could use pam with the same user and see that the user is already authenticated to avoid asking password several times.
So, if what you need to do is, once user is authenticated, to modify files that belong to that user (and ensure that those operation won't write on files that this user should no be able to write to), with that user ownership, then, yes, setuid is the natural way.
(If all what you do is writing files using ad-hoc code in your server, you could also just write them, and then use chown or the like to deal with that directly yourself).
But your question seems to imply that there is an alternative here: either pam sessions or setuid. It is not an alternative. Both serve different purpose, and you need both (or use an another replacement for both, but that is 2 different actions). One is to verify who is the user, and the other is to do things as that user once you are sure that you are allowed to.
A program like sudo for example, use both. First, it uses pam to check that you are really who you claim to be. Then, after checking in sudoers if you who you claim to be (and even who you are, since this has now been verified with pam) is allowed to perform the wanted command. And then, it uses setuid to perform that command as root.
Likewise a command such as su user uses pam to check if you do have the password for user. And then, once that done, use setuid to spawn a /bin/bash shell executed as user user.