[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Open Xlock as root

On 2/12/99 Thomas Meinders wrote:

I checked all the newsgroups and other site but couldn't find a solution
for my following question:

As a sysadmin of 20 Redhat5.1 machines I was always able to unlock a
screen locked by a user with my root password. Since I upgraded all
machines to Redhat6.1 and in addition using shadowed passwords this
doesn't work any more. I checked all the configuration files, added
+allowroot etc, but nothing did help.

Can anybody give me a hint? Is it due to the shadowed passwords or did
redhat change something in the configuration files??

xlock, vlock, xscreensaver et al under redhat (and debian potato) use PAM to to the authentication, and do not run as root (not suid, except perhaps xscreensaver) however the PAM helper programs that take care of verifying the passwords will only verifiy the password of the user calling it, and no one elses. this means a PAM program running as user foo can only check user foo's password not the root password or anyone elses.

Redhat makes the shadow files mode 400 root.root, and makes no attempt at working around the *lock programs which should let root override.

On Debian there is a shadow group and the shadow files are owned by root.shadow mode 640, and vlock, xlock, and xscreensaver are all setgid shadow (not suid root) this lets them use PAM for user authentication and if that fails they fall back on checking the root password themself by directly reading the /etc/shadow file. this configuration possibly adds a slight risk of these programs being exploited to gain access to protected password information, but its either that or let your users lock you out. I think the shadow group is far safer then making *lock suid root for sure though.

there is no configuration switch to allow a PAM application check passwords of users other then what it is running as. (at least AFAIK)

Ethan Benson
To obtain my PGP key: http://www.alaska.net/~erbenson/pgp/

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []