tags 367834 moreinfo
thanks
Zilvinas,
On Thu, May 18, 2006 at 03:44:34PM +0300, Zilvinas Valinskas wrote:
> Problem appears on line 245. Because check_user is run as non-root user it is
> denied access to /etc/shadow file naturally. 'spent == NULL'. Then there is a
> check if selinux is enalbed (is_selinux_enabled() returns 0). So in this case
> '_unix_run_verify_binary' will not be called at all and pam_sm_acct_mgmt()
> returns PAM_AUTHINFO_UNAVAIL (on line 253).
> Fix is very simple, you must change '&&' to '||' on line 245. Without this
> change manual page unix_chkpwd(8) contradicts reality. Also manual claims
> "In this way it is possible for applications like xlock to work work without
> being setuid root." , yes it does, but still xlock has been "fixed" in the
> following way - DON'T CALL 'pam_acct_mgmt()' at all. Perhaps that is correct
> solution (hack ?) - this way exactly the same problem is being 'fixed'.
Sorry, I don't think the current behavior is a bug. The purpose of the
pam_unix account check is to verify whether a user's account is active. Why
do you need a process which runs as the user to ask PAM for this
information? Isn't it obvious that the *current* user has an ok account,
and there's no need for a pam_unix account check?
Anyway, your proposed fix is wrong; the correct check if this were
implemented would be
(!spent && (SELINUX_ENABLED || getuid()))
but I just don't see any reason to make this change.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
[EMAIL PROTECTED] http://www.debian.org/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
