pam_open_session returns PAM_SUCCESS but no pam session?

Henk te Sligte htesligte at gmail.com
Sun Dec 5 22:11:36 UTC 2010


2010/12/5 Dan Yefimov <dan at lightwave.net.ru>:
> On 05.12.2010 22:52, Henk te Sligte wrote:
>>
>> Hi guys,
>>
>> I have been puzzling with this all day, and I can't figure out why
>> this doesn't work.
>> I compiled "xsh.c" from the examples, and created the appropriate
>> config file. However, I do get a shell, but from the same user that is
>> logged in.
>> I even tried to modify the system call to just a simple "touch
>> test.txt", but this command is executed as the same user.
>> So I guess my problem is somewhere in the config file, but I don't
>> know what to modify. I used the "login" and "passwd", and I even tried
>> my own, where I just call pam_permit.so for every action, and even
>> though I am authenticated without a problem, the xsh script still
>> creates the file with the same user.
>>
>> So instead of the regular source, I did (line 142 from examples/xsh.c):
>>           /* this is always a really bad thing for security! */
>>           retcode = system("touch /home/henk/test.txt");
>>           if(retcode != PAM_SUCCESS) {
>>                 printf("Error code: %d\n", retcode);
>>           }
>>
>> After calling "./a.out henk" as root, this is the response:
>> ==>  called pam_start()
>>   got: `Success'
>> ==>  called pam_set_item(PAM_RUSER)()
>>   got: `Success'
>> ==>  called pam_set_item(PAM_RHOST)()
>>   got: `Success'
>> ==>  called pam_set_item(PAM_RHOST)()
>>   got: `Success'
>> Password:
>> ==>  called pam_authenticate()
>>   got: `Success'
>> ==>  called pam_acct_mgmt()
>>   got: `Success'
>> ==>  called pam_setcred()
>>   got: `Success'
>> ==>  called pam_open_session()
>>   got: `Success'
>> The user [henk] has been authenticated and `logged in'
>> ==>  called pam_close_session()
>>   got: `Success'
>> ==>  called pam_setcred()
>>   got: `Success'
>> ==>  called pam_end()
>>   got: `Success'
>>
>> However, the file is created as root.
>> This is my config script (from /etc/pam.d/passwd):
>>
>> #%PAM-1.0
>> auth    required        pam_env.so
>> auth    required        pam_unix2.so
>> account required        pam_unix2.so
>> password        requisite       pam_pwcheck.so  cracklib
>> password        optional        pam_gnome_keyring.so    use_authtok
>> password        required        pam_unix2.so    use_authtok
>> session required        pam_limits.so
>> session required        pam_unix2.so
>> session optional        pam_apparmor.so
>> session optional        pam_umask.so
>> session optional        pam_gnome_keyring.so    auto_start
>> only_if=gdm,lxdm
>>
>> Can anyone help me out? What am I doing wrong?
>>
> You should carefully read all documentation about PAM. The first parameter
> of pam_start() is in fact the name of PAM config file. If you specified
> "login" there, PAM will parse /etc/pam.d/login, if you specified something
> else, you must create the corresponding config file in /etc/pam.d. In
> addition, switching UID/GID to those of logging in user and initializing his
> supplementary group list is the job of your application, not PAM.
>
> --
>
> Sincerely Yours, Dan.
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>

I know about the first parameter, the xsh script has "xsh" by default,
so that's what I am using. Obviously, I did create my own in
/etc/pam.d, which is described in my first mail.
I figured from the examples, xsh.c would spawn a shell with the new
logged in user, because it got the credentials from PAM. Why else is
there the system() call in xsh.c (From the examples, in the release
build)?

Greetings,
Henk te Sligte




More information about the Pam-list mailing list