pam_unix.so: allow account verification for non-root users when shadow is enabled
Laurence Withers
l at lwithers.me.uk
Tue Oct 2 18:05:00 UTC 2007
Hi,
I have recently been setting up exim to authenticate SMTP logins via
PAM. This system does not use SELinux. /etc/pam.d/exim includes the
line:
account required pam_unix.so
When it comes to verifying account details (i.e. pam_sm_acct_mgmt() in
modules/pam_unix/pam_unix_acct.c), `_unix_shadowed(pwent)' is going to
return true since I have shadow passwords enabled. This means that PAM
will now try to access /etc/shadow.
The exim daemon does not run as root, however; it runs under the UID
mail. This obviously means that /etc/shadow (mode 0600) cannot be read
by the library, and so `pam_sm_acct_mgmt()' returns
PAM_AUTHINFO_UNAVAIL.
On the assumption that it is a valid thing for a non-root process to
check the validity of an account, I activated the SELinux-specific
`_unix_run_verify_binary()' code, and the call to it in
pam_sm_acct_mgmt(), so that the setuid unix_chkpwd helper binary is
called to retrieve the information from /etc/shadow. This works as
intended.
I have attached a patch with these changes, in the hope that it is
useful. However, I will admit that I simply don't have enough
experience to see if this has security implications or not. Please let
me know.
Bye for now,
--
Laurence Withers, <l at lwithers.me.uk>
http://www.lwithers.me.uk/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pam_unix.so-use-unix_chkpwd-for-accessing-shadow-when-not-root.patch
Type: text/x-diff
Size: 1013 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pam-list/attachments/20071002/a2b0a6d6/attachment.bin>
More information about the Pam-list
mailing list