Package: libpam-modules
Version: 0.79-3.1
Severity: normal
pam_authenticate(...) /* success */
pam_acct_mgmt()
-> _pam_dispatch()
-> _pam_dispatch_aux()
-> pam_sm_acct_mgmt() - returns '9', PAM_AUTHINFO_UNAVAIL
from modules/pam_unix/pam_unix_acct.c file:
183 PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags,
184 int argc, const char **argv)
185 {
...
240 } else if (_unix_shadowed (pwent))
241 spent = _pammodutil_getspnam (pamh, uname);
242 else
243 return PAM_SUCCESS;
244
245 if (!spent && SELINUX_ENABLED)
246 spent = _unix_run_verify_binary(pamh, ctrl, uname);
247
248 if (!spent)
249 if (on(UNIX_BROKEN_SHADOW,ctrl))
250 return PAM_SUCCESS;
251
252 if (!spent)
253 return PAM_AUTHINFO_UNAVAIL; /* Couldn't get username
from shadow */
...
317 D(("all done"));
318
319 return PAM_SUCCESS;
320 }
Problem appears on line 245. Because check_user is run as non-root user it is
denied access to /etc/shadow file naturally. 'spent == NULL'. Then there is a
check if selinux is enalbed (is_selinux_enabled() returns 0). So in this case
'_unix_run_verify_binary' will not be called at all and pam_sm_acct_mgmt()
returns PAM_AUTHINFO_UNAVAIL (on line 253).
Fix is very simple, you must change '&&' to '||' on line 245. Without this
change manual page unix_chkpwd(8) contradicts reality. Also manual claims
"In this way it is possible for applications like xlock to work work without
being setuid root." , yes it does, but still xlock has been "fixed" in the
following way - DON'T CALL 'pam_acct_mgmt()' at all. Perhaps that is correct
solution (hack ?) - this way exactly the same problem is being 'fixed'.
Problem is easily demosntrated with 'Linux-PAM/examples/check_user.c'. An
example :
For non-root user:
$ id zoozer
uid=1000(zoozer) gid=1000(zoozer)
$ ./check_user zoozer
Password:
Not Authenticated
PAM Error(9): Authentication service cannot retrieve authentication info.
When root user:
$ sudo -s
password:
# id
uid=0(root) gid=0(root) groups=0(root)
# ./check_user zoozer
Password:
Authenticated
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16.16-evo
Locale: LANG=lt_LT.UTF-8, LC_CTYPE=lt_LT.UTF-8 (charmap=UTF-8)
Versions of packages libpam-modules depends on:
ii libc6 2.3.6-7 GNU C Library: Shared libraries
ii libcap1 1:1.10-14 support for getting/setting POSIX.
ii libdb4.3 4.3.29-5 Berkeley v4.3 Database Libraries [
ii libpam0g 0.79-3.1 Pluggable Authentication Modules l
ii libselinux1 1.30-1 SELinux shared libraries
libpam-modules recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
