[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM and shadow



Wichert,

use pam_pwdb (which uses a little helper binary to check the user's own
password).  This is how Redhat's xlock is not setuid root and yet works
with shadow passwords.
Alternatively, you could modify the helper binary to be of use with
pam_unix.. (shouldn't be too hard).

Cheers

Andrew

Wichert Akkerman wrote:
> 
> I was looking at modifying lockvc to use PAM the other day. lockvc is a
> terminal locking program that uses svgalib to show some nice graphics.
> Like all svgalib programs it drops it root priviledges after
> initializing the graphic system. As a result when a user tries to unlock
> his system lockvc no longer can read /etc/shadow and PAM gives an error.
> 
> The standard solution I use is to open /etc/shadow before dropping the
> root priviledges and later use fgetpwent() to get the shadow passwords.
> I looked at the PAM sources to see if I could make a PAM module which
> does that, but I found that apparently there is no method for a module
> to be initialized when pam_start() is called.
> 
> Is there any solution to this problem, besides adding an initialization
> function to the pam_module (hope I remembered the name correctly) struct?
> 
> Wichert.
> 
> --
> ==============================================================================
> This combination of bytes forms a message written to you by Wichert Akkerman.
> E-Mail: wakkerma@cs.leidenuniv.nl
> WWW: http://www.wi.leidenuniv.nl/~wichert/
> 
>   ------------------------------------------------------------------------
> 
>    Part 1.2   Type: application/pgp-signature



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []