From: Sebastien Cabaniols <sebastien.cabaniols@xxxxxx> To: pam-list@xxxxxxxxxx Date: Thu, 15 Mar 2007 15:07:20 +0100 Subject: shall a pam-enabled application be setuid root to be able to pam_authenticate system users ? Hello list, I am quite new to pam and I have currently managed to integrate pam to a short hello world application but I don't understand if my application has to run as root or not: I have defined a /etc/pam.d/test which contains the following: auth required pam_unix_auth.so account required pam_unix_acct.so My application will start after pam_authenticate succeds (I am simply using the standard misc_conv from pam_misc.) If I am running my application on behalf of the non-priviledged user 'seb', then I can only pam_authenticate the user 'seb'. To be able to authenticate other users, I have to run the process as root or setuid or sudo. How can an application (such as a webservice) run on behalf of an unpriviledged user and still refuse to run if you can't provide a valid user/password on the linux system ? Many thanks in advance for any help.
As far as I know, no, you don't. I've run things as my own user and still been able to authenticate properly. It might have something to do with your settings for that service; try to assume another service's identity and authenticate as that instead, and perhaps just look at other services' configuration files. Ludvig Ericson _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
