[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

login session opened by user not root



Included below is a message I sent to one of our internal lists here
at work describing a problem where PWDB reported a login session started
by a user instead of root

Nov 12 15:44:15 sherrill PAM_pwdb[9025]: (login) session opened for
user mjames by wimpy(uid=0) 

However the mjames user came in from a telnet session off one of our
terminal servers, not from anything to do with wimpy.

It looks like some sort of utmp thing perhaps, wimpy's session ends
when mjames' session begins. (I, I think, incorrectly conclude below
that it is the stale sessions, not the closed sessions, that are the
problem. I've since had my mind changed.)

I've seen this sort of thing happen before (in a non PAM environment),
once, and from our logs it looks like these two times are the only
times it has happened on this particular machine in the last three
months.

Is there any possibility this is a PAM problem or is it just an
artifact of 'that's just the way unix is'?

Some config info:

Linux xxxxxxx.kiva.net 2.0.30 #24 Thu Sep 25 14:34:04 EST 1997 i686
redhat 4.1 (with some 4.2 bits)

util-linux-2.5-34.1
pam-0.57-4
pwdb-0.54-4

/etc/pam.d/login:
#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_pwdb.so shadow nullok
auth       required     /lib/security/pam_shells.so
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_pwdb.so
password   required     /lib/security/pam_pwdb.so shadow nullok use_authtok
session    required     /lib/security/pam_pwdb.so


Thanks.


---------- Forwarded message ----------
Date: Wed, 12 Nov 1997 17:26:57 -0500 (EST)
From: Chris Dent <cdent@kiva.net>
Subject: SYSTEMS: a very strange thing



Neal came to me with a problem from a user who noticed that her most
recents posts to a newsgroup were showing the name of another user
instead of her own.

She is user mjames with a Gecos name of (MJames). Her username was
showing up in the post but the personal part was the gecos name of
wimpy (Mike Stapleton).

I went poking about and discovered that for some reason:

Nov 11 16:02:34 xxxxxxxx PAM_pwdb[17970]: (login) session opened for
user falcon by wimpy(uid=0) 
Nov 12 15:44:15 xxxxxxxx PAM_pwdb[9025]: (login) session opened for
user mjames by wimpy(uid=0) 

which shouldn't happen.

Wimpy does have some stale log in sessions:

root:/home/cdent# last wimpy
wimpy    ttyr7        xxxxxxxx.Indy.ki Tue Nov 11 11:17   still logged in
wimpy    ttyr4        xxxxxxxx.Indy.ki Tue Nov 11 11:13   still logged in
wimpy    ttyp9        xxxxxxxx.Indy.ki Tue Nov 11 10:58 - 16:02 (05:04)
wimpy    ttyr0        xxxxxxxx.Indy.ki Tue Nov 11 10:53 - 15:44 (1+04:50)

and this probably is the cause of what is going on but it doesn't seem
like it should be happening.

I checked the logs and it is only with the falcon and mjames logins
that this happened.

I'm going to post to the pam list to see if it sheds some light.

..........................
Chris Dent.........SysAdmin
...........Kiva Networking



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []