[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Open Xlock as root



> >As a sysadmin of 20 Redhat5.1 machines I was always able to unlock a
> >screen locked by a user with my root password. Since I upgraded all
> >machines to Redhat6.1 and in addition using shadowed passwords this
> >doesn't work any more. I checked all the configuration files, added
> >+allowroot etc, but nothing did help.
> >
> >Can anybody give me a hint? Is it due to the shadowed passwords or did
> >redhat change something in the configuration files??
> 
> xlock, vlock, xscreensaver et al under redhat (and debian potato) use 
> PAM to to the authentication, and do not run as root (not suid, 
> except perhaps xscreensaver) however the PAM helper programs that 
> take care of verifying the passwords will only verifiy the password 
> of the user calling it, and no one elses.  this means a PAM program 
> running as user foo can only check user foo's password not the root 
> password or anyone elses.
> 
> Redhat makes the shadow files mode 400 root.root, and makes no 
> attempt at working around the *lock programs which should let root 
> override.
> 
> On Debian there is a shadow group and the shadow files are owned by 
> root.shadow mode 640, and vlock, xlock, and xscreensaver are all 
> setgid shadow (not suid root) this lets them use PAM for user 
> authentication and if that fails they fall back on checking the root 
> password themself by directly reading the /etc/shadow file.  this 
> configuration possibly adds a slight risk of these programs being 
> exploited to gain access to protected password information, but its 
> either that or let your users lock you out.  I think the shadow group 
> is far safer then making *lock suid root for sure though.
> 
> there is no configuration switch to allow a PAM application check 
> passwords of users other then what it is running as.  (at least AFAIK)
Hello Ethan,
thank your very much for your very informative answer. Your explanation
really made sense so I tried it and it worked. The only problem for me is,
that I am not willing to always retune all of my installed machines after
installation. I expect Redhat to do a better job on this. In my opinion
they should really go ahead and adopt the solution of Debian or even come
up with something better. It is not acceptable to have a system where I
can't unlock a screen locked by a user. Sure, I could do a login on the
console and kill the users xlock process, but this is not the way I expect
a LINUX system to do a good job for me.

Thanks again for your help!

	Thomas


--
Thomas Meinders, Institute B of Mechanics, University of Stuttgart
Pfaffenwaldring 9, D-70550 Stuttgart, phone: (+49) 711-685-6821, fax -6400
privat: Friesenstr. 20, 71065 Sindelfingen, (+49) 7031-871831
http://www.mechb.uni-stuttgart.de/people/Meinders 




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []