pam_unix opens /etc/shadow as regular user

Jonathan DeSena Jonathan.DeSena at jhuapl.edu
Fri Jan 27 13:42:29 UTC 2006 

I have run into a problem that was reported on this list 1.5 years ago,
but, as far as I can tell, was unresolved. See:
https://www.redhat.com/archives/pam-list/2004-July/msg00010.html

The issue is that pam_unix will call getspnam() as a non-root user only
to later to call the setuid helper binary when the first try fails. In
most environments this is probably not a problem, but in environments
where auditing is required, this results in the attempted access
of /etc/shadow being logged, and looking suspicious.

This only happens for processes such as xscreensaver which are installed
without setuid bit set, but need to perform authentication -- the very
reason for having the helper program unix_chkpwd. Also, I believe this
is only an issue for the auth module, as other modules do not have such
helper programs, so the intent is that they should be running as root
already.

The use of the shadow routines should probably not even be attempted if
the process is non-root. The man page for shadow(3) makes this clear:
"These routines may only be used by the super user as access to the
shadow password file is restricted."

I have a simple patch that works for me (see below), but perhaps there
is a better way. I believe this issue should be resolved in the
mainline, especially as auditing in Linux becomes more common.

Thanks,
Jon DeSena

--- support.c.orig      2006-01-26 09:50:40.000000000 -0500
+++ support.c   2006-01-26 09:55:34.000000000 -0500
@@ -436,7 +436,7 @@
                                        setreuid( save_uid, -1 );
                                setreuid( -1, save_euid );
                        }
-               } else if (_unix_shadowed(pwd)) {
+               } else if (_unix_shadowed(pwd) && geteuid() == 0) {
                        /*
                         * ...and shadow password file entry for this user,
                         * if shadowing is enabled
@@ -628,7 +628,7 @@
                                setreuid( save_uid, -1 );
                                setreuid( -1, save_euid );
                        }
-               } else if (_unix_shadowed(pwd)) {
+               } else if (_unix_shadowed(pwd) && geteuid() == 0) {
                        /*
                         * ...and shadow password file entry for this user,
                         * if shadowing is enabled

More information about the Pam-list mailing list