Re: simple password authorization: how to get around logname?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Nate Yocom pinned it. If you don't run it as root, it can't read the /etc/shadow file. period. Obviously, it won't have access to it, so it can't establish the authentication credentials.

I'm afraid you have to worry about security and be root at some point, in order for the application to successfully "login".

Joe

Alois Treindl wrote:

I am moving a database application from HPUX to Redhat RHEL 3.0.

A user on a terminal session can login to the database by identifying herself with one of the legal user names of our system. The password is requested, and we used to compare it to the password stored in the HPUX /etc/passwd file.

Now, on RHEL the passwords are in the /etc/shadow file and we do not want to give the application root-setuid to be able to read it.

I decided to switch to PAM, but have no experience with it.

I tooke example code from "The Linux-PAM Application Developers' Guide"
to get simple password based authentification.

My service is called 'kdv' and I created an entry /etc/pam.d/kdv
auth       required     pam_unix.so

my little test application pamtest.c reads like this:

#include <security/pam_appl.h>
#include <security/pam_misc.h>
#include <stdio.h>
static struct pam_conv conv = {
    misc_conv,
    NULL
};
int main(int argc, char *argv[])
{
  pam_handle_t *pamh=NULL;
  int retval;
  const char *user="nobody";
  char s[80];
  if(argc == 2) {
      user = argv[1];
  }
  sprintf(s, "LOGNAME=%s", user);
  getenv(s);
  retval = pam_start("kdv", user, &conv, &pamh);
  if (retval == PAM_SUCCESS)
      retval = pam_authenticate(pamh, 0);    /* is user really user? */
  if (retval == PAM_SUCCESS) {
      fprintf(stdout, "Authenticated\n");
  } else {
      fprintf(stdout, "retval=%d, Not Authenticated\n", retval);
  }
  if (pam_end(pamh,retval) != PAM_SUCCESS) {     /* close Linux-PAM */
      pamh = NULL;
      fprintf(stderr, "check_user: failed to release authenticator\n");
      exit(1);
  }
  return ( retval == PAM_SUCCESS ? 0:1 );       /* indicate success */
}


When I call pamtest username

I find that I get authenticated if username is equal to the current shell's logname.

but I get not authenticated if I try
pamtest other_username

(where other_username is a valid user and I know his password)

In the latter case, the syslog contains an entry
kdv(pam_unix)[29287]: authentication failure; logname=(mylogname) uid=xxx euid=xxx tty= ruser= rhost= user=other_username


What do I need to do so that pamtest allows me to authenticate
for any user?

(The same way, like 'su' allows me to become any other user, from my given shell session, if I know that user's password)

I am aware that I have very little understanding of PAM, and I would be happy to remain as ignorant as I am, if I just get that little task working.

Alois


_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list


_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux