[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Bizarre PAM authentication failures



Mike Gerdts wrote:

>
> Sounds to me like you have pam modules stacked and you have different
> passwords stored in different authentication sources.  Perhaps one of
> them is a shadow file, is is only readble by root.

No ... just one of them stacked, under auth required pam_pwdb.so.  It authenticates
some passwords and not others, depending on the password.  Short, long, it doesn't
matter - some work, some don't.  However, works always when running as root.

Seems this would be an essential capability (i.e., *not* running as root) for
authentication of user-level functions driven from a shell or from a CGI script.  I
have a way around it making my application module run setuid as root, but I suspect
that something lurks. I am running a shadowed password file which, of course, is
readable only by root.  I don't know how the pam_pwdb.so module would get itself
into root mode (is such a thing as setuid for dynamic libraries?).  If it can't
read the shadow file, then it should *never* authenticate - but I can make it do
that by changing the target user's password to certain values.

So the inherent questions are:
1) must pam_authenticate be called only as root?
2) if not, how does it ever succeed in reading a shadow file if not setuid'd to
root?

Dave







[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []