shall a pam-enabled application be setuid root to be able to pam_authenticate system users ?
Ludvig Ericson
ludvig.ericson at gmail.com
Fri Mar 16 21:45:15 UTC 2007
Okay, I've written a short test-case.
I thank you for asking this question; it answers my own question in
another mail - why pam_acct_mgmt() fails when I call it.
It would seem that the case is that you can authenticate as your own
user on my system, and this may very well have to do with permissions
on each individual system.
Anyway, the code I tested with: http://rafb.net/p/2svWsB16.html
And the commands I ran:
toxik at saga ~ $ ./pamtest sshd toxik
Password:
pam_acct_mgmt() failed: error 9, Authentication service cannot
retrieve authentication info
toxik at saga ~ $ ./pamtest sshd root
Password:
authentication error: Authentication failure
toxik at saga ~ $ sudo ./pamtest sshd root
Password:
authentication error: Authentication failure
toxik at saga ~ $ sudo ./pamtest sshd toxik
Password:
pam_acct_mgmt() failed: error 0, Success
In short, yes, with pam_unix.so it does seem like you have to be root.
Thank you, Ludvig Ericson.
More information about the Pam-list
mailing list