Mike Gerdts wrote:

>
> Sounds to me like you have pam modules stacked and you have different
> passwords stored in different authentication sources. Perhaps one of
> them is a shadow file, is is only readble by root.

No ... just one of them stacked, under auth required pam_pwdb.so. It authenticates
some passwords and not others, depending on the password. Short, long, it doesn't
matter - some work, some don't. However, works always when running as root.

Seems this would be an essential capability (i.e., *not* running as root) for
authentication of user-level functions driven from a shell or from a CGI script. I
have a way around it making my application module run setuid as root, but I suspect
that something lurks. I am running a shadowed password file which, of course, is
readable only by root. I don't know how the pam_pwdb.so module would get itself
into root mode (is such a thing as setuid for dynamic libraries?). If it can't
read the shadow file, then it should *never* authenticate - but I can make it do
that by changing the target user's password to certain values.

So the inherent questions are:
1) must pam_authenticate be called only as root?
2) if not, how does it ever succeed in reading a shadow file if not setuid'd to
root?

Dave

_______________________________________________
Pam-list mailing list
Pam-listredhat.com
https://listman.redhat.com/mailman/listinfo/pam-list

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]