Mike Gerdts wrote: > > Sounds to me like you have pam modules stacked and you have different > passwords stored in different authentication sources. Perhaps one of > them is a shadow file, is is only readble by root. No ... just one of them stacked, under auth required pam_pwdb.so. It authenticates some passwords and not others, depending on the password. Short, long, it doesn't matter - some work, some don't. However, works always when running as root. Seems this would be an essential capability (i.e., *not* running as root) for authentication of user-level functions driven from a shell or from a CGI script. I have a way around it making my application module run setuid as root, but I suspect that something lurks. I am running a shadowed password file which, of course, is readable only by root. I don't know how the pam_pwdb.so module would get itself into root mode (is such a thing as setuid for dynamic libraries?). If it can't read the shadow file, then it should *never* authenticate - but I can make it do that by changing the target user's password to certain values. So the inherent questions are: 1) must pam_authenticate be called only as root? 2) if not, how does it ever succeed in reading a shadow file if not setuid'd to root? Dave
