Perhaps the EASIEST way to check if a service is running as root is to comment out the pam modules for the service that authenticate against mysql/ldap/nis/etc and then authenticate against multiple /etc/passwd accounts. A failure typically means that the service is not run as root.
Joe
Jason Gerfen wrote:
Yeah you have, so my problem isnt that i am loading the module in the wrong file or location, it is forking to whatever accout has a UID of 3. I have double checked the /etc/passwd for any account with that UID and there isn't one listed. Is that normal? Also how can I find out if PAM is being executed as root?
Thanks again for the info.
Joe Lewis wrote:
Jason Gerfen wrote:
I am writting a pam module and it works fine, does simple logging of login attempts etc. The problem with this is it only seems to load if I use the /etc/pam.d/gdm file to load it.
For all Gnome Display Manager login's, it will use the gdm file.
From what I understand about PAM the /etc/pam.d/login file should be the one to load the module to log authentication attempts correct?
/etc/pam.d/login is used for text-console-based logins. This is the beauty of PAM - different login mechanisms for different services.
Second question, as I am writting this I attempt to get the current owner of the process and it is coming up as UID & EUID as 3? Is this a system user? I could not google up anything on this behavior.
Look in /etc/passwd for the account with UID of 3.
My third question is if PAM is not running as the root user is there an existing module that will switch to the root user on the fly in order to run some authentication commands before returning to the normal user? Any help is appreciated...
There is no mechanism to switch to root for the authentication. Often, a service will be running as root. When an authentication request comes in, a separate process will be fork()ed, and that process switches from root to the user that just authenticated, while the service starts listening again for new connections.
If you build a PAM-aware application, make sure that it is executed as root, or any authentications will fail (because only root has access to the shadow password files).
I was playing with a test application, and it would only allow the current user to authenticate. As soon as the application became root and could gain access to the shadow files, I could authenticate any user in the files.
I hope I've answered a few questions in my ramblings. Let me know if I haven't.
Joe
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list