|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Helge Bahmann (bahmann
math.tu-freiberg.de)Date: Mon Nov 26 2001 - 14:00:49 CST
On Mon, 26 Nov 2001, Jani Jaakkola wrote:
> At least on RedHat, the default pam-installations creates these two
> suid-binaries:
>
> -r-sr-xr-x 1 root root 15088 Nov 9 18:30 /sbin/pwdb_chkpwd*
> -r-sr-xr-x 1 root root 16824 Nov 9 18:30 /sbin/unix_chkpwd*
>
> which are "authentication proxies" used by pam_pwdb and pam_unix.
I have them as well (though on Suse they are set setgid shadow instead).
I did not figure they were supposed to be used by pam_unix, and
apparently my pam_unix does not try to use them.
The application in question is postgres; I have a single entry in
/etc/pam.d/postgresql:
auth required /lib/security/pam_unix.so
(Replacing this with pam_permit.so allows me to connect to the database
without trouble, so pam auth itself appears to be working).
Tracing the postmaster child process during login shows:
[pid 12696] open("/etc/shadow", O_RDONLY) = -1 EACCES (Permission denied)
[pid 12696] send(8, "R\0\0\0\3", 5, 0) = 5
[pid 12696] recv(8, "\0", 1, MSG_PEEK) = 1
[pid 12696] recv(8, "\0\0\0\10foo\0", 8192, 0) = 8
[pid 12696] write(2, "CheckPAMAuth: pam_acct_mgmt fail"..., 61) = 61
[pid 12696] write(2, "FATAL 1: PAM authentication fai"..., 55) = 55
[pid 12696] send(8, "EFATAL 1: PAM authentication fa"..., 57, 0) = 57
I did not discover any reference to /sbin/unix_chkpwd in the trace -- no stat,
no fork & exec.
PAM version is 0.74 (as shipped with Suse 7.2)
I am kind of lost here. Is there anything else I have to setup so pam_unix
will call unix_chkpwd?
Best regards
-- Helge Bahmann <bahmann_______________________________________________ Pam-list mailing list Pam-list
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]