PAM touching shadow?

Jason Gerfen jason.gerfen at scl.utah.edu
Mon Jul 19 13:49:37 UTC 2004


The applications which use PAM (depending on what distro your using are 
located in the /etc/pam.conf or /etc/pam.d/<name of applicaiton>), will 
always verify credentials using the /etc/passwd and /etc/shadow files.

You may be able to configure your X-display to use various options for 
allowing the user to keep their screensaver lock by adding something 
like the following to your x display subsystem

XDM or GDM (files which use PAM in the /etc/pam.d)
auth required pam_unix.so use_authtok no_warn use_first_pass
auth required pam_unix2.so use_authtok no_warn use_first_pass
session required pam_unix.so use_authtok no_warn use_first_pass
account required pam_unix.so use_authtok no_warn use_first_pass
password required pam_unix.so use_authtok no_warn use_first_pass

# Since I am not sure which section (auth, session, account or password) 
is actually being called once the user logs back in after unlocking the 
screensaver I would try the listed options to prevent unnessecary events 
to the auditor

the four options i listed for each section of of the pam_unix.so module 
might prevent your issue

no_warn
use_first_pass
use_mapped_pass
use_authtok

Hope this helps...
 
Eric Reischer wrote:

>Precisely; however it is trying to open /etc/shadow *as the logged-in
>user*, not root.  This is what's throwing the errors in the audit log.
>
>Eric
>
>*********************************************************************
>Eric Reischer                                 emr at engr.de.psu.edu
>"The most beautiful thing we can experience
>is the mysterious."                    -- Albert Einstein
>*********************************************************************
>
>
>On Mon, 19 Jul 2004, Igmar Palsenberg wrote:
>
>  
>
>>>Unfortunately,
>>>however, our workstations running xscreensaver have SNARE reporting that
>>>the (non-root) logged-in user unsuccessfully attempts to touch the
>>>/etc/shadow file, with timestamps that correspond to the exact times that
>>>the user unlocks the window via xscreensaver.
>>>      
>>>
>>Sound logical to me : xscreensaver needs to verify the user's password,
>>let's PAM handle that, and PAM needs to open /etc/shadow to verify the
>>actual hashes.
>>
>>    
>>
>>>I have narrowed it down to PAM (I think), as I've recompiled xscreensaver
>>>with absolutely no passwd references; only the PAM libraries compiled in,
>>>and the problem still presents itself.  Does anyone know if PAM is making
>>>this call at some point, and if so, what is the reason behind it?  Is PAM
>>>just doing a sanity permission check on the shadow file?
>>>      
>>>
>>It's probably opening it.
>>
>>
>>
>>	Igmar
>>
>>
>>_______________________________________________
>>Pam-list mailing list
>>Pam-list at redhat.com
>>https://www.redhat.com/mailman/listinfo/pam-list
>>
>>    
>>
>
>
>_______________________________________________
>Pam-list mailing list
>Pam-list at redhat.com
>https://www.redhat.com/mailman/listinfo/pam-list
>  
>


-- 
Jason Gerfen
Student Computing Group
Marriott Library
University of Utah
(801) 585-9810
jason.Gerfen at scl.utah.edu

"...Sometimes I just yell at myself. And it
 makes me sad, sometimes I make myself cry..."
			~ My nephew Dawsyn






More information about the Pam-list mailing list