Permissions on the password database may be too restrictive
Bent Bagger
bbagger at gmail.com
Mon May 1 14:22:45 UTC 2006
Hi
I teach a Linux course at the Engineering College in Copenhagen and
the subject next time is PAM. To demonstrate how to use PAM I have
taken a small program from the O'Reilly book "Linux Security Cookbook"
(p.74). Trying to execute the compiled program results in this error
message:
Permissions on the password database may be too restrictive
The funny (?) thing is that if I make /etc/shadow world readable with
chmod, the program runs succesfully. This, however, is not a
workaround, I like! I hope one of you can provide me with a better
solution.
Here are some details about my setup: My distribution is Suse 10.0,
/etc/nsswitch has both passwd and shadow set to 'compat'. My
configuration file in /etc/pam.d is this:
#
# /etc/pam.d/my_applic
#
# configuration file for PAM-aware program
#
auth required pam_unix2.so debug
account required pam_unix2.so
and finally, here is the application itself:
==============
/* PAM-aware application - "Linux Security Cookbook" page 74.
*
* compile with gcc pam_aware.c -lpam -lpam_misc -o pam_aware
*
* *** requires package pam-devel installed ***
*
* You need to add the following file to the /etc/pam.d directory
* /etc/pam.d/my_applic:
* # check authorization
* auth required pam_unix2.so
* account required pam_unix2.so
*/
#include <security/pam_appl.h>
#include <security/pam_misc.h>
#include <pwd.h>
#include <sys/types.h>
#include <stdio.h>
#define MY_CONFIG "my_applic"
void Run_My_Big_Application() ; /* prototype */
static struct pam_conv conv = {misc_conv, NULL};
int main () {
pam_handle_t *pamh;
int result;
struct passwd *pw;
if ((pw = getpwuid(getuid())) == NULL)
perror("getpwuid");
else if ((result = pam_start(MY_CONFIG, pw->pw_name, &conv, &pamh))
!= PAM_SUCCESS)
fprintf(stderr, "start failed: %s\n", pam_strerror(pamh, result));
else if ((result = pam_authenticate(pamh, 0)) != PAM_SUCCESS)
fprintf(stderr, "authenticate failed: %s\n", pam_strerror(pamh, result));
else if ((result = pam_acct_mgmt(pamh, 0)) != PAM_SUCCESS)
fprintf(stderr, "acct_mgmt failed: %s\n", pam_strerror(pamh, result));
else if ((result = pam_end(pamh, 0)) != PAM_SUCCESS)
fprintf(stderr, "end failed: %s\n", pam_strerror(pamh, result));
else
Run_My_Big_Application(); /* Run your application code */
return 0;
}
}
void Run_My_Big_Application() {
fprintf(stdout, "Hello from your PAM-aware application\n");
}
===============
Best regards, Bent
More information about the Pam-list
mailing list