SuSE loading PAM?
Joe Lewis
joe at joe-lewis.com
Tue Jun 22 22:10:10 UTC 2004
If there is no /etc/passwd account with an ID of 3, you might have
nsswitch-mysql, or nsswitch-ldap, or nis+ grabbing the account from a
different location. You'd have to check all of those locations.
Perhaps the EASIEST way to check if a service is running as root is to
comment out the pam modules for the service that authenticate against
mysql/ldap/nis/etc and then authenticate against multiple /etc/passwd
accounts. A failure typically means that the service is not run as root.
Joe
Jason Gerfen wrote:
> Yeah you have, so my problem isnt that i am loading the module in the
> wrong file or location, it is forking to whatever accout has a UID of
> 3. I have double checked the /etc/passwd for any account with that UID
> and there isn't one listed. Is that normal? Also how can I find out if
> PAM is being executed as root?
>
> Thanks again for the info.
>
> Joe Lewis wrote:
>
>> Jason Gerfen wrote:
>>
>>> I am writting a pam module and it works fine, does simple logging of
>>> login attempts etc. The problem with this is it only seems to load
>>> if I use the /etc/pam.d/gdm file to load it.
>>
>>
>>
>> For all Gnome Display Manager login's, it will use the gdm file.
>>
>>> From what I understand about PAM the /etc/pam.d/login file should be
>>> the one to load the module to log authentication attempts correct?
>>
>>
>>
>> /etc/pam.d/login is used for text-console-based logins. This is the
>> beauty of PAM - different login mechanisms for different services.
>>
>>> Second question, as I am writting this I attempt to get the current
>>> owner of the process and it is coming up as UID & EUID as 3? Is this
>>> a system user? I could not google up anything on this behavior.
>>
>>
>>
>> Look in /etc/passwd for the account with UID of 3.
>>
>>> My third question is if PAM is not running as the root user is there
>>> an existing module that will switch to the root user on the fly in
>>> order to run some authentication commands before returning to the
>>> normal user? Any help is appreciated...
>>
>>
>>
>> There is no mechanism to switch to root for the authentication.
>> Often, a service will be running as root. When an authentication
>> request comes in, a separate process will be fork()ed, and that
>> process switches from root to the user that just authenticated, while
>> the service starts listening again for new connections.
>>
>> If you build a PAM-aware application, make sure that it is executed as
>> root, or any authentications will fail (because only root has access
>> to the shadow password files).
>>
>> I was playing with a test application, and it would only allow the
>> current user to authenticate. As soon as the application became root
>> and could gain access to the shadow files, I could authenticate any
>> user in the files.
>>
>> I hope I've answered a few questions in my ramblings. Let me know if
>> I haven't.
>>
>> Joe
>>
>>
>> _______________________________________________
>> Pam-list mailing list
>> Pam-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/pam-list
>
>
>
>
More information about the Pam-list
mailing list