Re: SuSE loading PAM?

[Joe Lewis <joe@xxxxxxxxxxxxx>]

If there is no /etc/passwd account with an ID of 3, you might have 
nsswitch-mysql, or nsswitch-ldap, or nis+ grabbing the account from a 
different location.  You'd have to check all of those locations.

Perhaps the EASIEST way to check if a service is running as root is to 
comment out the pam modules for the service that authenticate against 
mysql/ldap/nis/etc and then authenticate against multiple /etc/passwd 
accounts.  A failure typically means that the service is not run as root.

Joe

Jason Gerfen wrote:

> Yeah you have, so my problem isnt that i am loading the module in the 
> wrong file or location, it is forking to whatever accout has a UID of 
> 3.  I have double checked the /etc/passwd for any account with that UID 
> and there isn't one listed.  Is that normal?  Also how can I find out if 
> PAM is being executed as root?
>
> Thanks again for the info.
>
> Joe Lewis wrote:
>
> > Jason Gerfen wrote:
> >
> > > I am writting a pam module and it works fine, does simple logging of 
> > > login attempts etc.  The problem with this is it only seems to load 
> > > if I use the /etc/pam.d/gdm file to load it.
> >
> >
> >
> > For all Gnome Display Manager login's, it will use the gdm file.
> >
> > > From what I understand about PAM the /etc/pam.d/login file should be 
> > > the one to load the module to log authentication attempts correct?
> >
> >
> >
> > /etc/pam.d/login is used for text-console-based logins.  This is the 
> > beauty of PAM - different login mechanisms for different services.
> >
> > > Second question, as I am writting this I attempt to get the current 
> > > owner of the process and it is coming up as UID & EUID as 3?  Is this 
> > > a system user?  I could not google up anything on this behavior.
> >
> >
> >
> > Look in /etc/passwd for the account with UID of 3.
> >
> > > My third question is if PAM is not running as the root user is there 
> > > an existing module that will switch to the root user on the fly in 
> > > order to run some authentication commands before returning to the 
> > > normal user?  Any help is appreciated...
> >
> >
> >
> > There is no mechanism to switch to root for the authentication.  
> > Often, a service will be running as root.  When an authentication 
> > request comes in, a separate process will be fork()ed, and that 
> > process switches from root to the user that just authenticated, while 
> > the service starts listening again for new connections.
> >
> > If you build a PAM-aware application, make sure that it is executed as 
> > root, or any authentications will fail (because only root has access 
> > to the shadow password files).
> >
> > I was playing with a test application, and it would only allow the 
> > current user to authenticate.  As soon as the application became root 
> > and could gain access to the shadow files, I could authenticate any 
> > user in the files.
> >
> > I hope I've answered a few questions in my ramblings.  Let me know if 
> > I haven't.
> >
> > Joe
> >
> >
> > _______________________________________________
> >
> > Pam-list@xxxxxxxxxx
> > https://www.redhat.com/mailman/listinfo/pam-list


_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list