2010/12/5 Dan Yefimov <dan@xxxxxxxxxxxxxxxx>:
> On 05.12.2010 22:52, Henk te Sligte wrote:
>>
>> Hi guys,
>>
>> I have been puzzling with this all day, and I can't figure out why
>> this doesn't work.
>> I compiled "xsh.c" from the examples, and created the appropriate
>> config file. However, I do get a shell, but from the same user that is
>> logged in.
>> I even tried to modify the system call to just a simple "touch
>> test.txt", but this command is executed as the same user.
>> So I guess my problem is somewhere in the config file, but I don't
>> know what to modify. I used the "login" and "passwd", and I even tried
>> my own, where I just call pam_permit.so for every action, and even
>> though I am authenticated without a problem, the xsh script still
>> creates the file with the same user.
>>
>> So instead of the regular source, I did (line 142 from examples/xsh.c):
>> /* this is always a really bad thing for security! */
>> retcode = system("touch /home/henk/test.txt");
>> if(retcode != PAM_SUCCESS) {
>> printf("Error code: %d\n", retcode);
>> }
>>
>> After calling "./a.out henk" as root, this is the response:
>> ==> called pam_start()
>> got: `Success'
>> ==> called pam_set_item(PAM_RUSER)()
>> got: `Success'
>> ==> called pam_set_item(PAM_RHOST)()
>> got: `Success'
>> ==> called pam_set_item(PAM_RHOST)()
>> got: `Success'
>> Password:
>> ==> called pam_authenticate()
>> got: `Success'
>> ==> called pam_acct_mgmt()
>> got: `Success'
>> ==> called pam_setcred()
>> got: `Success'
>> ==> called pam_open_session()
>> got: `Success'
>> The user [henk] has been authenticated and `logged in'
>> ==> called pam_close_session()
>> got: `Success'
>> ==> called pam_setcred()
>> got: `Success'
>> ==> called pam_end()
>> got: `Success'
>>
>> However, the file is created as root.
>> This is my config script (from /etc/pam.d/passwd):
>>
>> #%PAM-1.0
>> auth required pam_env.so
>> auth required pam_unix2.so
>> account required pam_unix2.so
>> password requisite pam_pwcheck.so cracklib
>> password optional pam_gnome_keyring.so use_authtok
>> password required pam_unix2.so use_authtok
>> session required pam_limits.so
>> session required pam_unix2.so
>> session optional pam_apparmor.so
>> session optional pam_umask.so
>> session optional pam_gnome_keyring.so auto_start
>> only_if=gdm,lxdm
>>
>> Can anyone help me out? What am I doing wrong?
>>
> You should carefully read all documentation about PAM. The first parameter
> of pam_start() is in fact the name of PAM config file. If you specified
> "login" there, PAM will parse /etc/pam.d/login, if you specified something
> else, you must create the corresponding config file in /etc/pam.d. In
> addition, switching UID/GID to those of logging in user and initializing his
> supplementary group list is the job of your application, not PAM.
>
> --
>
> Sincerely Yours, Dan.
>
> _______________________________________________
> Pam-list mailing list
> Pam-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/pam-list
>
I know about the first parameter, the xsh script has "xsh" by default,
so that's what I am using. Obviously, I did create my own in
/etc/pam.d, which is described in my first mail.
I figured from the examples, xsh.c would spawn a shell with the new
logged in user, because it got the credentials from PAM. Why else is
there the system() call in xsh.c (From the examples, in the release
build)?
Greetings,
Henk te Sligte
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
