3

I'm currently developing an authentication module for an application. The decision was made to do this by using PAM. I have made this work but it can only authenticate the user that started the application.

This means that if I started the application as the user 'appname' the authentication only tells me it is successful if the user is 'appname' and not 'some_user'

If I su to that 'some_user' and started the application in that terminal then I can authenticate 'some_user' but not 'appname'

I turned on the debug flag for pam_unix in common-auth. Resulting in the following output when it rejects:

unix_chkpwd[4107]: check pass; user unknown
unix_chkpwd[4107]: password check failed for user (pamtest)
[app]: pam_unix(other:auth): authentication failure; logname=[appname] uid=1000 euid=1000 tty= ruser=[appname] rhost=  user=pamtest
Improve this question

1 Answer 1

Reset to default
8

PAM is not a daemon, but just a library. As a normal user has no access to authentication data (like /etc/shadow), programs running under a normal user cannot authenticate. There is one small exception: The user can authenticate himself, because in this case the SETGID /sbin/unix_chkpwd helper program is automatically called, which has access to authentication data (but does not allow to authenticate other users).

So you need either give the program itself root rights via SUID flags (I do not recommend it as it is difficult to not open a backdoor) so that it runs under root or need to authenticate via a network service or by running a SUID program like su.

In this question possible solutions are discussed.

Improve this answer
3
  • This does not answer my question as I am still accessing the existing C PAM functions. The ones detailed at the Linux PAM application developer guide which should let you implement programs like 'su' So I don't have to have access to the authentication data as far as I am aware, because how could the program as I have it now authenticate one user but not all others if I had no access at all? You are however correct in not not assigning the process root privileges, which is exactly why I am implementing PAM. Commented Mar 1, 2013 at 14:21
  • @Zimrilim I added the correct reason to the answer why a user can authenticate himself. But except of this, already the developer guide says what I answered: "PAM modules generally have no increased privilege over that possessed by the application that is making use of it.". Please note that all programs that can authenticate have a SETUID/SETGID flag set or run as root like the ssh daemon. Commented Mar 2, 2013 at 23:29
  • 1
    My apologies. I feel really stupid for having overlooked this. I did get the impression from the manuals and explanations that I found that you didn't need to have a separate part of the program with heightened permissions to authenticate any user. With this though it is perfectly clear now. Thank you. Commented Mar 7, 2013 at 9:22

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.