Permissions on the password database may be too restrictive

Mon May 1 14:22:45 UTC 2006

Hi

I teach a Linux course at the Engineering College in Copenhagen and
the subject next time is PAM. To demonstrate how to use PAM I have
taken a small program from the O'Reilly book "Linux Security Cookbook"
(p.74). Trying to execute the compiled program results in  this error
message:

Permissions on the password database may be too restrictive

The funny (?) thing is that if I make /etc/shadow world readable with
chmod, the program runs succesfully. This, however, is not a
workaround, I like! I hope one of you can provide me with a better
solution.

Here are some details about my setup: My distribution is Suse 10.0,
/etc/nsswitch has both passwd and shadow set to 'compat'. My
configuration file in /etc/pam.d is this:

#
#  /etc/pam.d/my_applic
#
# configuration file for PAM-aware program
#
auth         required     pam_unix2.so debug
account    required     pam_unix2.so

and finally, here is the application itself:
==============

/*  PAM-aware application - "Linux Security Cookbook" page 74.
 *
 *  compile with gcc pam_aware.c -lpam -lpam_misc -o pam_aware
 *
 *     *** requires package pam-devel installed ***
 *
 *  You need to add the following file to the /etc/pam.d directory
 *  /etc/pam.d/my_applic:
 *  # check authorization
 *  auth         required     pam_unix2.so
 *  account    required     pam_unix2.so

 */

#include <security/pam_appl.h>
#include <security/pam_misc.h>
#include <pwd.h>
#include <sys/types.h>
#include <stdio.h>

#define MY_CONFIG "my_applic"

void Run_My_Big_Application() ;  /* prototype */

static struct pam_conv conv = {misc_conv, NULL};

int main () {
   pam_handle_t *pamh;
   int result;
   struct passwd *pw;

   if ((pw = getpwuid(getuid())) == NULL)
      perror("getpwuid");
   else if ((result = pam_start(MY_CONFIG, pw->pw_name, &conv, &pamh))
!= PAM_SUCCESS)
      fprintf(stderr, "start failed: %s\n", pam_strerror(pamh, result));
   else if ((result = pam_authenticate(pamh, 0)) != PAM_SUCCESS)
      fprintf(stderr, "authenticate failed: %s\n", pam_strerror(pamh, result));
  else if ((result = pam_acct_mgmt(pamh, 0)) != PAM_SUCCESS)
      fprintf(stderr, "acct_mgmt failed: %s\n", pam_strerror(pamh, result));
  else if ((result = pam_end(pamh, 0)) != PAM_SUCCESS)
      fprintf(stderr, "end failed: %s\n", pam_strerror(pamh, result));
  else
      Run_My_Big_Application();                  /* Run your application code */
  return 0;
}
}

void Run_My_Big_Application() {
  fprintf(stdout, "Hello from your PAM-aware application\n");
}

===============

Best regards,  Bent