Hi folks,
I'm using Debian potato (r2.2) with PAM-support v0.72.
For authenticating against apache (v1.3.9) I would like to
use PAM (libapache-mod-auth v0.8.5).
I installed the mentioned modules and configured
/etc/pam.d/hhtpd in the following manner:
auth required pam_unix_auth.so shadow audit
account required pam_unix_acct.so shadow audit
password required pam_unix_passwd.so shadow audit
The configuration in apache looks like:
- the pam modules is loaded:
LoadModule pam_auth_module /usr/lib/apache/1.3/mod_auth_pam.so
- the secured site is declared as:
Alias /secure/ "/home/secure/"
<Directory "/home/secure">
Options Indexes FollowSymlinks
AllowOverride AuthConfig
AuthType Basic
AuthName "====== secure user area ======"
AuthAuthoritative on
AuthPAM_Enabled on
AuthPAM_FallThrough off
require group projekte
require user doedel
Order allow,deny
Allow from all
</Directory>
When going to the site http://localhost/secure/ my netscape (v4.7)
asks me my for username and password. Using an apropriet user/password
apache rejects the connection.
The logging in /var/log/auth.log says:
PAM_unix[3026]: authentication failure; (uid=33) -> xxx for httpd service
(where xxx is the used username)
The logging in /var/log/apache/error.log says:
[error] (25)Inappropriate ioctl for device: access to
/secure/ failed for 127.0.0.1, reason: Authentication failure
After trying this for a while I set
chmod o+r /etc/shadow
and there it works. But this cannot be the solution, because
shadow wouldn't be shadowing anymore.
So, after reverting this chmod, I made an strace of the apache running,
while connecting to the site:
Interesting are the marked points, where the reading of /etc/shadow is forbidden
first and the the tool unix_chkpwd is running afterwards with allowing to
read from /etc/shadow.
[pid 518] wait4(-1, 0xbffffcc8, WNOHANG, NULL) = 0
[pid 518] select(0, NULL, NULL, NULL, {1, 0} <unfinished ...>
[pid 1164] <... accept resumed> {sin_family=AF_INET, sin_port=htons(1087),
sin_addr=inet_addr("127.0.0.1")}}, [16]) = 3
[pid 1164] fcntl(20, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}) = 0
[pid 1164] rt_sigaction(SIGUSR1, {SIG_IGN}, {0x805b0f4, [], SA_INTERRUPT|0x4000000}, 8) = 0
[pid 1164] getsockname(3, {sin_family=AF_INET, sin_port=htons(80),
sin_addr=inet_addr("127.0.0.1")}}, [16]) = 0
[pid 1164] setsockopt(3, IPPROTO_TCP1, [1], 4) = 0
[pid 1164] read(3, "GET /secure/ HTTP/1.0\r\nConnection: K"..., 4096) = 273
[pid 1164] rt_sigaction(SIGUSR1, {SIG_IGN}, {SIG_IGN}, 8) = 0
[pid 1164] time(NULL) = 981892208
[pid 1164] gettimeofday({981892208, 826060}, NULL) = 0
[pid 1164] stat("/home/hs", ) = 0
[pid 1164] open("/home/secure/.htaccess", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 1164] write(3, "HTTP/1.1 401 Authorization Requi"..., 707) = 707
[pid 1164] time(NULL) = 981892208
[pid 1164] write(18, "127.0.0.1 - - [11/Feb/2001:12"..., 74) = 74
[pid 1164] gettimeofday({981892208, 899724}, NULL) = 0
[pid 1164] times({tms_utime=0, tms_stime=1, tms_cutime=0, tms_cstime=0}) = 148086
[pid 1164] shutdown(3, 1 /* send */) = 0
[pid 1164] select(4, [3], NULL, NULL, {2, 0} <unfinished ...>
[pid 1162] <... fcntl resumed> ) = 0
[pid 1162] accept(17, <unfinished ...>
[pid 518] <... select resumed> ) = 0 (Timeout)
[pid 518] time(NULL) = 981892209
[pid 518] wait4(-1, 0xbffffcc8, WNOHANG, NULL) = 0
[pid 518] select(0, NULL, NULL, NULL, {1, 0}) = 0 (Timeout)
[pid 518] time(NULL) = 981892210
[pid 518] wait4(-1, 0xbffffcc8, WNOHANG, NULL) = 0
[pid 518] select(0, NULL, NULL, NULL, {1, 0} <unfinished ...>
[pid 1164] <... select resumed> ) = 0 (Timeout)
[pid 1164] close(3) = 0
[pid 1164] rt_sigaction(SIGUSR1, {0x805b0f4, [], SA_INTERRUPT|0x4000000}, {SIG_IGN}, 8) = 0
[pid 1164] fcntl(20, F_SETLKW, {type=F_WRLCK, whence=SEEK_SET, start=0, len=0} <unfinished ...>
[pid 518] <... select resumed> ) = 0 (Timeout)
[pid 518] time(NULL) = 981892211
[pid 518] wait4(-1, 0xbffffcc8, WNOHANG, NULL) = 0
[pid 518] select(0, NULL, NULL, NULL, {1, 0}) = 0 (Timeout)
[pid 518] time(NULL) = 981892212
[pid 518] wait4(-1, 0xbffffcc8, WNOHANG, NULL) = 0
[pid 518] select(0, NULL, NULL, NULL, {1, 0} <unfinished ...>
[pid 1162] <... accept resumed> {sin_family=AF_INET, sin_port=htons(1088),
sin_addr=inet_addr("127.0.0.1")}}, [16]) = 3
[pid 1162] fcntl(20, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0} <unfinished ...>
[pid 1164] <... fcntl resumed> ) = 0
[pid 1164] accept(17, <unfinished ...>
[pid 1162] <... fcntl resumed> ) = 0
[pid 1162] rt_sigaction(SIGUSR1, {SIG_IGN}, {0x805b0f4, [], SA_INTERRUPT|0x4000000}, 8) = 0
[pid 1162] getsockname(3, {sin_family=AF_INET, sin_port=htons(80),
sin_addr=inet_addr("127.0.0.1")}}, [16]) = 0
[pid 1162] setsockopt(3, IPPROTO_TCP1, [1], 4) = 0
[pid 1162] read(3, "GET /secure/ HTTP/1.0\r\nConnection: K"..., 4096) = 312
[pid 1162] rt_sigaction(SIGUSR1, {SIG_IGN}, {SIG_IGN}, 8) = 0
[pid 1162] time(NULL) = 981892213
[pid 1162] gettimeofday({981892213, 113195}, NULL) = 0
[pid 1162] stat("/home/secure", ) = 0
[pid 1162] open("/home/secure/.htaccess", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 1162] stat("/etc/pam.d", ) = 0
[pid 1162] open("/etc/pam.d/httpd", O_RDONLY) = 4
[pid 1162] fstat(4, ) = 0
[pid 1162] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40016000
[pid 1162] read(4, "auth required pam_uni"..., 4096) = 297
[pid 1162] open("/lib/security/pam_unix.so", O_RDONLY) = 5
[pid 1162] fstat(5, ) = 0
[pid 1162] read(5, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340#\0"..., 4096) = 4096
[pid 1162] old_mmap(NULL, 93652, PROT_READ|PROT_EXEC, MAP_PRIVATE, 5, 0) = 0x40235000
[pid 1162] mprotect(0x4023f000, 52692, PROT_NONE) = 0
[pid 1162] old_mmap(0x4023f000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 5, 0x9000) =
0x4023f000
[pid 1162] old_mmap(0x40240000, 48596, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS,
-1, 0) = 0x40240000
[pid 1162] close(5) = 0
[pid 1162] read(4, "", 4096) = 0
[pid 1162] close(4) = 0
[pid 1162] munmap(0x40016000, 4096) = 0
[pid 1162] open("/etc/pam.d/other", O_RDONLY) = 4
[pid 1162] fstat(4, ) = 0
[pid 1162] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40016000
[pid 1162] read(4, "#\n# /etc/pam.d/other - specify t"..., 4096) = 341
[pid 1162] read(4, "", 4096) = 0
[pid 1162] close(4) = 0
[pid 1162] munmap(0x40016000, 4096) = 0
[pid 1162] time(NULL) = 981892213
[pid 1162] time([981892213]) = 981892213
[pid 1162] getpid() = 1162
[pid 1162] rt_sigaction(SIGPIPE, {0x40140eec, [], 0x4000000}, {SIG_IGN}, 8) = 0
[pid 1162] getuid() = 33
[pid 1162] time([981892213]) = 981892213
[pid 1162] getpid() = 1162
[pid 1162] rt_sigaction(SIGPIPE, {0x40140eec, [], 0x4000000}, {SIG_IGN}, 8) = 0
[pid 1162] getuid() = 33
[pid 1162] open("/etc/passwd", O_RDONLY) = 4
[pid 1162] fcntl(4, F_GETFD) = 0
[pid 1162] fcntl(4, F_SETFD, FD_CLOEXEC) = 0
[pid 1162] fstat(4, ) = 0
[pid 1162] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40016000
[pid 1162] _llseek(4, 0, [0], SEEK_CUR) = 0
[pid 1162] read(4, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1755
[pid 1162] close(4) = 0
[pid 1162] munmap(0x40016000, 4096) = 0
!!!
[pid 1162] open("/etc/shadow", O_RDONLY) = -1 EACCES (Permission denied)
[pid 1162] geteuid() = 33
[pid 1162] pipe([4, 5]) = 0
[pid 1162] fork() = 2117
[pid 1162] close(4) = 0
[pid 1162] write(5, "nonull\0\0", 8) = 8
[pid 1162] write(5, "xxxxx\0", 9) = 9 !! here the entred password
[pid 1162] close(5) = 0
[pid 1162] wait4(2117, <unfinished ...>
[pid 2117] close(5) = 0
[pid 2117] dup2(4, 0) = 0
[pid 2117] execve("/sbin/unix_chkpwd", ["/sbin/unix_chkpwd"], []) = 0
[pid 2117] brk(0) = 0x804c614
[pid 2117] open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 2117] open("/etc/ld.so.cache", O_RDONLY) = 5
[pid 2117] fstat(5, ) = 0
[pid 2117] old_mmap(NULL, 13799, PROT_READ, MAP_PRIVATE, 5, 0) = 0x40014000
[pid 2117] close(5) = 0
[pid 2117] open("/lib/libnsl.so.1", O_RDONLY) = 5
[pid 2117] fstat(5, ) = 0
[pid 2117] read(5, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0@\0\000"..., 4096) = 4096
[pid 2117] old_mmap(NULL, 88200, PROT_READ|PROT_EXEC, MAP_PRIVATE, 5, 0) = 0x40018000
[pid 2117] mprotect(0x4002a000, 14472, PROT_NONE) = 0
[pid 2117] old_mmap(0x4002a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 5, 0x11000) =
0x4002a000
[pid 2117] old_mmap(0x4002c000, 6280, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS,
-1, 0) = 0x4002c000
[pid 2117] close(5) = 0
[pid 2117] open("/lib/libcrypt.so.1", O_RDONLY) = 5
[pid 2117] fstat(5, ) = 0
[pid 2117] read(5, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340\16"..., 4096) = 4096
[pid 2117] old_mmap(NULL, 183228, PROT_READ|PROT_EXEC, MAP_PRIVATE, 5, 0) = 0x4002e000
[pid 2117] mprotect(0x40033000, 162748, PROT_NONE) = 0
[pid 2117] old_mmap(0x40033000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 5, 0x4000) =
0x40033000
[pid 2117] old_mmap(0x40034000, 158652, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS,
-1, 0) = 0x40034000
[pid 2117] close(5) = 0
[pid 2117] open("/lib/libc.so.6", O_RDONLY) = 5
[pid 2117] fstat(5, ) = 0
[pid 2117] read(5, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\264\213"..., 4096) = 4096
[pid 2117] old_mmap(NULL, 902044, PROT_READ|PROT_EXEC, MAP_PRIVATE, 5, 0) = 0x4005b000
[pid 2117] mprotect(0x40130000, 29596, PROT_NONE) = 0
[pid 2117] old_mmap(0x40130000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 5, 0xd4000) =
0x40130000
[pid 2117] old_mmap(0x40134000, 13212, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS,
-1, 0) = 0x40134000
[pid 2117] close(5) = 0
[pid 2117] munmap(0x40014000, 13799) = 0
[pid 2117] personality(PER_LINUX) = 0
[pid 2117] getpid() = 2117
[pid 2117] fcntl(0, F_GETFD) = 0
[pid 2117] fcntl(1, F_GETFD) = 0
[pid 2117] fcntl(2, F_GETFD) = 0
[pid 2117] rt_sigaction(SIGILL, {0x8048b4c, [], SA_ONESHOT|0x4000000}, NULL, 8) = 0
[pid 2117] rt_sigaction(SIGTRAP, {0x8048b4c, [], SA_ONESHOT|0x4000000}, NULL, 8) = 0
[pid 2117] rt_sigaction(SIGBUS, {0x8048b4c, [], SA_ONESHOT|0x4000000}, NULL, 8) = 0
[pid 2117] rt_sigaction(SIGSEGV, {0x8048b4c, [], SA_ONESHOT|0x4000000}, NULL, 8) = 0
[pid 2117] rt_sigaction(SIGTERM, {SIG_IGN}, NULL, 8) = 0
[pid 2117] rt_sigaction(SIGHUP, {SIG_IGN}, NULL, 8) = 0
[pid 2117] rt_sigaction(SIGINT, {SIG_IGN}, NULL, 8) = 0
[pid 2117] rt_sigaction(SIGQUIT, {SIG_IGN}, NULL, 8) = 0
[pid 2117] ioctl(0, TCGETS, 0xbffffd48) = -1 EINVAL (Invalid argument)
[pid 2117] getuid() = 33
[pid 2117] brk(0) = 0x804c614
[pid 2117] brk(0x804ca2c) = 0x804ca2c
[pid 2117] brk(0x804d000) = 0x804d000
[pid 2117] socket(PF_UNIX, SOCK_STREAM, 0) = 5
[pid 2117] connect(5, ) = -1 ECONNREFUSED (Connection refused)
[pid 2117] close(5) = 0
[pid 2117] open("/etc/nsswitch.conf", O_RDONLY) = 5
[pid 2117] fstat(5, ) = 0
[pid 2117] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40014000
[pid 2117] read(5, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 465
[pid 2117] read(5, "", 4096) = 0
[pid 2117] close(5) = 0
[pid 2117] munmap(0x40014000, 4096) = 0
[pid 2117] open("/etc/ld.so.cache", O_RDONLY) = 5
[pid 2117] fstat(5, ) = 0
[pid 2117] old_mmap(NULL, 13799, PROT_READ, MAP_PRIVATE, 5, 0) = 0x40014000
[pid 2117] close(5) = 0
[pid 2117] open("/lib/libnss_compat.so.2", O_RDONLY) = 5
[pid 2117] fstat(5, ) = 0
[pid 2117] read(5, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000\31\0"..., 4096) = 4096
[pid 2117] brk(0x804e000) = 0x804e000
[pid 2117] old_mmap(NULL, 44332, PROT_READ|PROT_EXEC, MAP_PRIVATE, 5, 0) = 0x40138000
[pid 2117] mprotect(0x40142000, 3372, PROT_NONE) = 0
[pid 2117] old_mmap(0x40142000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 5, 0x9000) =
0x40142000
[pid 2117] close(5) = 0
[pid 2117] munmap(0x40014000, 13799) = 0
[pid 2117] uname({sysname="Linux", ) = 0
[pid 2117] open("/etc/passwd", O_RDONLY) = 5
[pid 2117] fcntl(5, F_GETFD) = 0
[pid 2117] fcntl(5, F_SETFD, FD_CLOEXEC) = 0
[pid 2117] fstat(5, ) = 0
[pid 2117] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40014000
[pid 2117] _llseek(5, 0, [0], SEEK_CUR) = 0
[pid 2117] read(5, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1755
[pid 2117] close(5) = 0
[pid 2117] munmap(0x40014000, 4096) = 0
[pid 2117] read(0, "nonull\0\0", 8) = 8
!!!
[pid 2117] read(0, "xxxxx\0", 200) = 9 !! here the entered password
[pid 2117] open("/etc/passwd", O_RDONLY) = 5
[pid 2117] fcntl(5, F_GETFD) = 0
[pid 2117] fcntl(5, F_SETFD, FD_CLOEXEC) = 0
[pid 2117] open("/etc/passwd", O_RDONLY) = 6
[pid 2117] fcntl(6, F_GETFD) = 0
[pid 2117] fcntl(6, F_SETFD, FD_CLOEXEC) = 0
[pid 2117] fstat(6, ) = 0
[pid 2117] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40014000
[pid 2117] _llseek(6, 0, [0], SEEK_CUR) = 0
[pid 2117] read(6, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1755
[pid 2117] close(6) = 0
[pid 2117] munmap(0x40014000, 4096) = 0
[pid 2117] close(5) = 0
[pid 2117] open("/etc/shadow", O_RDONLY) = 5
[pid 2117] fcntl(5, F_GETFD) = 0
[pid 2117] fcntl(5, F_SETFD, FD_CLOEXEC) = 0
!!!
[pid 2117] open("/etc/shadow", O_RDONLY) = 6
[pid 2117] fcntl(6, F_GETFD) = 0
[pid 2117] fcntl(6, F_SETFD, FD_CLOEXEC) = 0
[pid 2117] fstat(6, ) = 0
[pid 2117] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40014000
[pid 2117] _llseek(6, 0, [0], SEEK_CUR) = 0
[pid 2117] read(6, "root:xxxxxxx:10901:0:99999"..., 4096) = 1157
[pid 2117] close(6) = 0
[pid 2117] munmap(0x40014000, 4096) = 0
[pid 2117] close(5) = 0
[pid 2117] _exit(0) = ?
[pid 1162] <... wait4 resumed> [WIFEXITED(s) && WEXITSTATUS(s) == 0], 0, NULL) = 2117
[pid 1162] --- SIGCHLD (Child exited) ---
I also tested the tool /sbin/unix_chkpwd with
echo -n "nonull xxxx" | /sbin/unix_chkpwd && echo ok
where xxxx is the password of the logged user; it's ok.
Can anyone help me ?? Is anyone else using PAM in this way ??
Thanks!
--
Stefan-W. Hahn / mailto:stefan.hahn@online.de /
