Re: PAM touching shadow?

[Jason Gerfen <jason.gerfen@xxxxxxxxxxxx>]

The applications which use PAM (depending on what distro your using are 
located in the /etc/pam.conf or /etc/pam.d/<name of applicaiton>), will 
always verify credentials using the /etc/passwd and /etc/shadow files.

You may be able to configure your X-display to use various options for 
allowing the user to keep their screensaver lock by adding something 
like the following to your x display subsystem

XDM or GDM (files which use PAM in the /etc/pam.d)
auth required pam_unix.so use_authtok no_warn use_first_pass
auth required pam_unix2.so use_authtok no_warn use_first_pass
session required pam_unix.so use_authtok no_warn use_first_pass
account required pam_unix.so use_authtok no_warn use_first_pass
password required pam_unix.so use_authtok no_warn use_first_pass

# Since I am not sure which section (auth, session, account or password) 
is actually being called once the user logs back in after unlocking the 
screensaver I would try the listed options to prevent unnessecary events 
to the auditor

the four options i listed for each section of of the pam_unix.so module 
might prevent your issue

no_warn
use_first_pass
use_mapped_pass
use_authtok

Hope this helps...

Eric Reischer wrote:

> Precisely; however it is trying to open /etc/shadow *as the logged-in
> user*, not root.  This is what's throwing the errors in the audit log.
>
> Eric
>
> *********************************************************************
> Eric Reischer                                 emr@xxxxxxxxxxxxxxx
> "The most beautiful thing we can experience
> is the mysterious."                    -- Albert Einstein
> *********************************************************************
>
>
> On Mon, 19 Jul 2004, Igmar Palsenberg wrote:
>
>  
>
> > > Unfortunately,
> > > however, our workstations running xscreensaver have SNARE reporting that
> > > the (non-root) logged-in user unsuccessfully attempts to touch the
> > > /etc/shadow file, with timestamps that correspond to the exact times that
> > > the user unlocks the window via xscreensaver.
> > >      
> > Sound logical to me : xscreensaver needs to verify the user's password,
> > let's PAM handle that, and PAM needs to open /etc/shadow to verify the
> > actual hashes.
> >
> >    
> >
> > > I have narrowed it down to PAM (I think), as I've recompiled xscreensaver
> > > with absolutely no passwd references; only the PAM libraries compiled in,
> > > and the problem still presents itself.  Does anyone know if PAM is making
> > > this call at some point, and if so, what is the reason behind it?  Is PAM
> > > just doing a sanity permission check on the shadow file?
> > >      
> > It's probably opening it.
> >
> >
> >
> > 	Igmar
> >
> >
> > _______________________________________________
> >
> > Pam-list@xxxxxxxxxx
> > https://www.redhat.com/mailman/listinfo/pam-list
> >
> >    
>
>
> _______________________________________________
>
> Pam-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/pam-list
>  


--
Jason Gerfen
Student Computing Group
Marriott Library
University of Utah
(801) 585-9810
jason.Gerfen@xxxxxxxxxxxx

"...Sometimes I just yell at myself. And it
makes me sad, sometimes I make myself cry..."
			~ My nephew Dawsyn



_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list