Bent Bagger | 1 May 16:22 2006
Picon

Permissions on the password database may be too restrictive

Hi

I teach a Linux course at the Engineering College in Copenhagen and
the subject next time is PAM. To demonstrate how to use PAM I have
taken a small program from the O'Reilly book "Linux Security Cookbook"
(p.74). Trying to execute the compiled program results in  this error
message:

Permissions on the password database may be too restrictive

The funny (?) thing is that if I make /etc/shadow world readable with
chmod, the program runs succesfully. This, however, is not a
workaround, I like! I hope one of you can provide me with a better
solution.

Here are some details about my setup: My distribution is Suse 10.0,
/etc/nsswitch has both passwd and shadow set to 'compat'. My
configuration file in /etc/pam.d is this:

#
#  /etc/pam.d/my_applic
#
# configuration file for PAM-aware program
#
auth         required     pam_unix2.so debug
account    required     pam_unix2.so

and finally, here is the application itself:
==============

(Continue reading)

Thorsten Kukuk | 2 May 08:09 2006
Picon

Re: Permissions on the password database may be too restrictive

On Mon, May 01, Bent Bagger wrote:

> Hi
> 
> I teach a Linux course at the Engineering College in Copenhagen and
> the subject next time is PAM. To demonstrate how to use PAM I have
> taken a small program from the O'Reilly book "Linux Security Cookbook"
> (p.74). Trying to execute the compiled program results in  this error
> message:
> 
> Permissions on the password database may be too restrictive

Which means your applications runs as normal user, and a normal user
is not allowed to access /etc/shadow.

> The funny (?) thing is that if I make /etc/shadow world readable with
> chmod, the program runs succesfully. This, however, is not a
> workaround, I like! I hope one of you can provide me with a better
> solution.

Give your application the necessary rights to read (and, if it 
should change the password) and write to that file.

  Thorsten

--

-- 
Thorsten Kukuk         http://www.suse.de/~kukuk/      kukuk <at> suse.de
SUSE LINUX Products GmbH       Maxfeldstr. 5       D-90409 Nuernberg
--------------------------------------------------------------------    
Key fingerprint = 8C6B FD92 EE0F 42ED F91A  6A73 6D1A 7F05 2E59 24BB
(Continue reading)

Bruno FLEISCH | 2 May 09:55 2006

Re: mod_auth_pam patch


Ignacio Vazquez-Abrams wrote:
> On Fri, 2006-04-28 at 15:26 +0200, Bruno FLEISCH wrote:
>   
>> * The module caches both positive (i.e.: successful) and negative 
>> authentication results. This improves performances on slow 
>> authentication providers (NIS/YP or LDAP), and limit deny-of-service 
>> attacks with bad credentials.
>>
>> NB: The cache routines may be disabled by "undef-ing" the ENABLE_CACHE 
>> macro in source file.
>>     
>
> How do you flush the cache at runtime?
>   

There is no "flush" operation available. Cached entries expire after a 
given amount of time (default is 120 seconds for positive results, 5 for 
negative).

Regards,

Bruno
Bent Bagger | 2 May 10:41 2006
Picon

Re: Permissions on the password database may be too restrictive

Hi

On 02/05/06, Thorsten Kukuk <kukuk <at> suse.de> wrote:
>
> Give your application the necessary rights to read (and, if it
> should change the password) and write to that file.
>

I made my application run suid as root and now it works. Thanks for your help.

Bent
Valdir Leite | 3 May 01:20 2006
Picon

Re: Permissions on the password database may be too restrictive

Bent,

2ยข:
Don't forget the issues related to "race conditions" when suid'ing apps.

Valdir

On 5/2/06, Bent Bagger <bbagger <at> gmail.com> wrote:
> Hi
>
> On 02/05/06, Thorsten Kukuk <kukuk <at> suse.de> wrote:
> >
> > Give your application the necessary rights to read (and, if it
> > should change the password) and write to that file.
> >
>
> I made my application run suid as root and now it works. Thanks for your help.
>
> Bent
>
> _______________________________________________
> Pam-list mailing list
> Pam-list <at> redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>
Thorsten Kukuk | 4 May 19:18 2006
Picon

Linux-PAM 0.99.4.0 released


Hello,

The Linux-PAM developement team is pleased to announce the release
of version 0.99.4.0.

This time there are a lot of changes:

* Add test suite
* Fix building of static variants of libpam, libpamc and libpam_misc
* pam_listfile: Add support for password and session management
* pam_exec: New PAM module to execute arbitary commands
* Fix building of a static libpam including all PAM modules
* New/updated translations for: nl, pt, pl, fi, km, tr, uk, fr
* pam_access: Add network(address) / netmask and IPv6 support
* Add manual pages for pam_cracklib, pam_deny and pam_access
* pam_pwdb: This deprecated module was removed
* Manual pages: Major rewrite/cleanup

If you wish to help: There are still a lot of manual pages missing.
And the sgml sources needs to be reworked and adjusted to the current
code, there are a lot of informations in the guides which are not
valid anymore since a very long time.

People helping with translations are also always welcome.

 Your Linux-PAM development team

--

-- 
Thorsten Kukuk         http://www.suse.de/~kukuk/      kukuk <at> suse.de
(Continue reading)

Prajjwal Devkota | 5 May 06:40 2006

pam_mount causes graphical login to hang second time

Hi everyone,

I installed pam_mount (version 0.13.0-3) on my fedora core 5 desktop two
days ago, and I set it up to mount some network shares on our active
directory domain using cifs mount.  My desktop is also joined to the
domain for active directory authentication using winbind.

I am able to login graphically without any problems the first time.  The
relevant shares are also mounted.  When I logout, I can also see that
the shares have been removed (from an ssh login from an adjacent
computer).  However, when I try to login again, I get authenticated, but
my graphical session goes blank, and doesn't even reach the splash
screen.

To fix this, I need to login as root using either a remote ssh session
or the virtual consoles; go to runlevel 3, then back to runlevel 5.
After doing this, I can login once without problems once. However, after
logging out, the same problem repeats.

I thought it might be a problem with the cifs mount/unmount process that
pam_mount was using, so I tried mounting nfs shares only instead.
However, even when using nfs shares, the same issue occurs.

This issue only occurs with the graphical login though.  When I login to
a virtual console, I can easily login/logout as many times as I like.
The same is true with ssh-- for ssh-- even the pam_mount mounted shares
are not unmounted, but I can login/logout as many times as I like.

I use smb4k for network browsing/share mounting, but I believe that I
can configure pam_mount to work correctly, it will be even more
(Continue reading)

zappaboy | 5 May 08:42 2006
Picon

Re: Linux-PAM 0.99.4.0 released

Using morgan.asc from http://www.kernel.org/pub/linux/libs/pam/morgan.asc
and the files at http://www.kernel.org/pub/linux/libs/pam/pre/library/
and gpg version 1.4.3 I cannot get the archive verified.

$gpg --version
gpg (GnuPG) 1.4.3
Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512
Compression: Uncompressed, ZIP, ZLIB, BZIP2
$gpg --import morgan.asc
gpg: directory `/home/joe/.gnupg' created
gpg: new configuration file `/home/joe/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/joe/.gnupg/gpg.conf' are not yet
active during this run
gpg: keyring `/home/joe/.gnupg/secring.gpg' created
gpg: keyring `/home/joe/.gnupg/pubring.gpg' created
gpg: /home/joe/.gnupg/trustdb.gpg: trustdb created
gpg: key D41A6DF2: public key "Andrew G. Morgan <morgan <at> kernel.org>" imported
gpg: key 2A398175: public key "Andrew G. Morgan
<morgan <at> parc.power.net>" imported
gpg: Total number processed: 2
gpg:               imported: 2  (RSA: 1)
(Continue reading)

Alexander Samad | 8 May 09:33 2006
Picon

pam and ldap problems

Hi

Just going through the process of setting up ldap authentication.

Things seem to be working fine except when I go to do some fine controll
over who can log into each machine

my nsswitch looks like this 
passwd:         files ldap 
group:          files ldap 
shadow:         files

my common-auth looks like
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth required pam_ldap.so ignore_unknown_user use_first_pass
auth required pam_permit.so

i got this from the readme in the libpam-ldap package.

I am using debian AMD64 testing/unstable

I have added a variable hosts=* to my test uid entry, I have placed
pam_filter in /etc/pam_ldap.conf
pam_filter host=this.is.a.test

when I test it with the above configuration I see no requests with
search variables host=

when I modfy my common-auth to look like this

(Continue reading)

Peter M. Metcalf | 9 May 15:36 2006
Picon

Pam on FC5 klog problem

I've have 3 different PCs running FC4 or FC5.  All are mounting 
OPENAFS.  Of course I use pam to authenticate.

My problem, if I am logging in from a remote machine via SSHD I have to 
"klog" after I am authenticated to get a token.  If I log in locally on any 
of those machines I get a token every time.

My GDM and SSHD pam files are a match.
I'm assuming that I am missing something in the SSHD string of events that 
happen when I use that method to connect.

Again, no matter which way I go,  I get authenticated.....just do not get a 
token from a SSHD attempt without using klog after logging in.

#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       sufficient   /lib/security/pam_afs.krb.so try_first_pass ignore_root
auth       required     /lib/security/pam_stack.so service=system-auth
account    required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so

Pete

Gmane