pam_open_session returns PAM_SUCCESS but no pam session?

Dan Yefimov dan at lightwave.net.ru
Sun Dec 5 21:42:50 UTC 2010


On 05.12.2010 22:52, Henk te Sligte wrote:
> Hi guys,
>
> I have been puzzling with this all day, and I can't figure out why
> this doesn't work.
> I compiled "xsh.c" from the examples, and created the appropriate
> config file. However, I do get a shell, but from the same user that is
> logged in.
> I even tried to modify the system call to just a simple "touch
> test.txt", but this command is executed as the same user.
> So I guess my problem is somewhere in the config file, but I don't
> know what to modify. I used the "login" and "passwd", and I even tried
> my own, where I just call pam_permit.so for every action, and even
> though I am authenticated without a problem, the xsh script still
> creates the file with the same user.
>
> So instead of the regular source, I did (line 142 from examples/xsh.c):
>            /* this is always a really bad thing for security! */
>            retcode = system("touch /home/henk/test.txt");
>            if(retcode != PAM_SUCCESS) {
>                  printf("Error code: %d\n", retcode);
>            }
>
> After calling "./a.out henk" as root, this is the response:
> ==>  called pam_start()
>    got: `Success'
> ==>  called pam_set_item(PAM_RUSER)()
>    got: `Success'
> ==>  called pam_set_item(PAM_RHOST)()
>    got: `Success'
> ==>  called pam_set_item(PAM_RHOST)()
>    got: `Success'
> Password:
> ==>  called pam_authenticate()
>    got: `Success'
> ==>  called pam_acct_mgmt()
>    got: `Success'
> ==>  called pam_setcred()
>    got: `Success'
> ==>  called pam_open_session()
>    got: `Success'
> The user [henk] has been authenticated and `logged in'
> ==>  called pam_close_session()
>    got: `Success'
> ==>  called pam_setcred()
>    got: `Success'
> ==>  called pam_end()
>    got: `Success'
>
> However, the file is created as root.
> This is my config script (from /etc/pam.d/passwd):
>
> #%PAM-1.0
> auth    required        pam_env.so
> auth    required        pam_unix2.so
> account required        pam_unix2.so
> password        requisite       pam_pwcheck.so  cracklib
> password        optional        pam_gnome_keyring.so    use_authtok
> password        required        pam_unix2.so    use_authtok
> session required        pam_limits.so
> session required        pam_unix2.so
> session optional        pam_apparmor.so
> session optional        pam_umask.so
> session optional        pam_gnome_keyring.so    auto_start only_if=gdm,lxdm
>
> Can anyone help me out? What am I doing wrong?
>
You should carefully read all documentation about PAM. The first parameter of 
pam_start() is in fact the name of PAM config file. If you specified "login" 
there, PAM will parse /etc/pam.d/login, if you specified something else, you 
must create the corresponding config file in /etc/pam.d. In addition, switching 
UID/GID to those of logging in user and initializing his supplementary group 
list is the job of your application, not PAM.

-- 

Sincerely Yours, Dan.




More information about the Pam-list mailing list