Hi, This patch logs a message if getspnam() fails which, notably, happens if the PAM using process does not have permissions to read /etc/shadow. As such, this message serves debugging and security notification purposes. Thanks, Matthew W.S. Bell --- diff -wruN pam-1.0.1/libpam/pam_modutil_getspnam.c pam-1.0.1.new/libpam/pam_modutil_getspnam.c --- pam-1.0.1/libpam/pam_modutil_getspnam.c 2007-08-30 05:00:39.000000000 +0100 +++ pam-1.0.1.new/libpam/pam_modutil_getspnam.c 2009-08-12 05:45:00.000000000 +0100 @@ -14,6 +14,7 @@ #include <shadow.h> #include <stdio.h> #include <stdlib.h> +#include <syslog.h> static int intlen(int number) { @@ -100,6 +101,7 @@ return NULL; } else if (errno != ERANGE && errno != EINTR) { + pam_syslog(pamh, LOG_ERR, "getspnam_r(): Failed to get shadow password entry"); /* no sense in repeating the call */ break; } @@ -115,13 +117 ,14 @@ return NULL; #else /* ie. ifndef HAVE_GETSPNAM_R */ - /* * Sorry, there does not appear to be a reentrant version of * getspnam(). So, we use the standard libc function. */ + void *spwd = getspnam(user); + if (!spwd) + pam_syslog(pamh, LOG_ERR, "getspnam(): Failed to get shadow password entry"); + return spwd; - return getspnam(user); - #endif /* def HAVE_GETSPNAM_R */ } --- _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list