SuSE loading PAM?

Joe Lewis joe at joe-lewis.com
Tue Jun 22 22:10:10 UTC 2004 

If there is no /etc/passwd account with an ID of 3, you might have 
nsswitch-mysql, or nsswitch-ldap, or nis+ grabbing the account from a 
different location.  You'd have to check all of those locations.

Perhaps the EASIEST way to check if a service is running as root is to 
comment out the pam modules for the service that authenticate against 
mysql/ldap/nis/etc and then authenticate against multiple /etc/passwd 
accounts.  A failure typically means that the service is not run as root.

Joe

Jason Gerfen wrote:

> Yeah you have, so my problem isnt that i am loading the module in the 
> wrong file or location, it is forking to whatever accout has a UID of 
> 3.  I have double checked the /etc/passwd for any account with that UID 
> and there isn't one listed.  Is that normal?  Also how can I find out if 
> PAM is being executed as root?
> 
> Thanks again for the info.
> 
> Joe Lewis wrote:
> 
>> Jason Gerfen wrote:
>>
>>> I am writting a pam module and it works fine, does simple logging of 
>>> login attempts etc.  The problem with this is it only seems to load 
>>> if I use the /etc/pam.d/gdm file to load it.
>>
>>
>>
>> For all Gnome Display Manager login's, it will use the gdm file.
>>
>>> From what I understand about PAM the /etc/pam.d/login file should be 
>>> the one to load the module to log authentication attempts correct?
>>
>>
>>
>> /etc/pam.d/login is used for text-console-based logins.  This is the 
>> beauty of PAM - different login mechanisms for different services.
>>
>>> Second question, as I am writting this I attempt to get the current 
>>> owner of the process and it is coming up as UID & EUID as 3?  Is this 
>>> a system user?  I could not google up anything on this behavior.
>>
>>
>>
>> Look in /etc/passwd for the account with UID of 3.
>>
>>> My third question is if PAM is not running as the root user is there 
>>> an existing module that will switch to the root user on the fly in 
>>> order to run some authentication commands before returning to the 
>>> normal user?  Any help is appreciated...
>>
>>
>>
>> There is no mechanism to switch to root for the authentication.  
>> Often, a service will be running as root.  When an authentication 
>> request comes in, a separate process will be fork()ed, and that 
>> process switches from root to the user that just authenticated, while 
>> the service starts listening again for new connections.
>>
>> If you build a PAM-aware application, make sure that it is executed as 
>> root, or any authentications will fail (because only root has access 
>> to the shadow password files).
>>
>> I was playing with a test application, and it would only allow the 
>> current user to authenticate.  As soon as the application became root 
>> and could gain access to the shadow files, I could authenticate any 
>> user in the files.
>>
>> I hope I've answered a few questions in my ramblings.  Let me know if 
>> I haven't.
>>
>> Joe
>>
>>
>> _______________________________________________
>> Pam-list mailing list
>> Pam-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/pam-list
> 
> 
> 
>

More information about the Pam-list mailing list