Permissions on the password database may be too restrictive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi

I teach a Linux course at the Engineering College in Copenhagen and
the subject next time is PAM. To demonstrate how to use PAM I have
taken a small program from the O'Reilly book "Linux Security Cookbook"
(p.74). Trying to execute the compiled program results in  this error
message:

Permissions on the password database may be too restrictive

The funny (?) thing is that if I make /etc/shadow world readable with
chmod, the program runs succesfully. This, however, is not a
workaround, I like! I hope one of you can provide me with a better
solution.

Here are some details about my setup: My distribution is Suse 10.0,
/etc/nsswitch has both passwd and shadow set to 'compat'. My
configuration file in /etc/pam.d is this:

#
#  /etc/pam.d/my_applic
#
# configuration file for PAM-aware program
#
auth         required     pam_unix2.so debug
account    required     pam_unix2.so

and finally, here is the application itself:
==============

/*  PAM-aware application - "Linux Security Cookbook" page 74.
*
*  compile with gcc pam_aware.c -lpam -lpam_misc -o pam_aware
*
*     *** requires package pam-devel installed ***
*
*  You need to add the following file to the /etc/pam.d directory
*  /etc/pam.d/my_applic:
*  # check authorization
*  auth         required     pam_unix2.so
*  account    required     pam_unix2.so

*/

#include <security/pam_appl.h>
#include <security/pam_misc.h>
#include <pwd.h>
#include <sys/types.h>
#include <stdio.h>

#define MY_CONFIG "my_applic"

void Run_My_Big_Application() ;  /* prototype */

static struct pam_conv conv = {misc_conv, NULL};

int main () {
  pam_handle_t *pamh;
  int result;
  struct passwd *pw;

  if ((pw = getpwuid(getuid())) == NULL)
     perror("getpwuid");
  else if ((result = pam_start(MY_CONFIG, pw->pw_name, &conv, &pamh))
!= PAM_SUCCESS)
     fprintf(stderr, "start failed: %s\n", pam_strerror(pamh, result));
  else if ((result = pam_authenticate(pamh, 0)) != PAM_SUCCESS)
     fprintf(stderr, "authenticate failed: %s\n", pam_strerror(pamh, result));
 else if ((result = pam_acct_mgmt(pamh, 0)) != PAM_SUCCESS)
     fprintf(stderr, "acct_mgmt failed: %s\n", pam_strerror(pamh, result));
 else if ((result = pam_end(pamh, 0)) != PAM_SUCCESS)
     fprintf(stderr, "end failed: %s\n", pam_strerror(pamh, result));
 else
     Run_My_Big_Application();                  /* Run your application code */
 return 0;
}
}

void Run_My_Big_Application() {
 fprintf(stdout, "Hello from your PAM-aware application\n");
}

===============

Best regards,  Bent

_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux