[SunHELP] solaris 2.8 getpwnam() strange behaviour ...

Adrian.Florea at alcatel.ro Adrian.Florea at alcatel.ro
Thu Mar 6 05:30:35 CST 2003 

Hi,

On Thu, 6 Mar 2003, DAUBIGNE Sebastien  - BOR (   SDaubigne at bordeaux-bersol.sema.slb.com ) wrote:

> You said  : "getpwnam returns a bad encrypted password"
>
> As stated in the man page of getpwnam()  :
>
> "The pw_passwd field in the passwd structure  should  not  be
> used  as the encrypted password for the user; use getspnam()
> or getspnam_r() instead. See getspnam(3C)"

First I'm trying getpwnam() and then I call getspnam();


> Now, if you using getspnam() instead, I guess it should be called from
> a process which has euid of root, because of /etc/shadow access, which
> it seems not to be the case ("Apache is running as a non-root user").
> >From man getspnam() :
> "Access to the /etc/shadow file is generally restricted to processes running
>
> as  the  super-user (root)"
>

I call both functions from inside a PAM AUTH module (library).

then several login services are filtered through PAM.

All of them work fine (rlogin, su, telnet, ssh, CDE/dtlogin, ...) but
Apache with a PAM module works in strange ways ... i.e. in this case
getpwnam()/getspnam() calls are successful partialy (it fails once from 4
tries for example).

> ---
> Sebastien DAUBIGNE
> sdaubigne at bordeaux-bersol.sema.slb.com
> <mailto:sdaubigne at bordeaux-bersol.sema.slb.com>  - (+33)5.57.26.56.36
> SchlumbergerSema - SGS/DWH/Pessac
>
> 	-----Message d'origine-----
> 	De:	Adrian.Florea at alcatel.ro [SMTP:Adrian.Florea at alcatel.ro]
> 	Date:	jeudi 6 mars 2003 11:06
> 	@:	sunhelp at sunhelp.org
> 	Objet:	[SunHELP] solaris 2.8 getpwnam() strange behaviour ...
>
> 	hello guys,
>
> 	Please, give me a feedback if you heared of such a problem:
>
> 	- I have a web user interface in which a user can chnage his
> password.
> 	- I'm using as backend Apache + a PAM auth Apache module
> 	- PAM modules are also customized by me
>
> 	inside the PAM authentication module I make a call to
> getpwnam/getspnam
> 	but between subsequent calls to these functions different bad values
> are
> 	returned. That's the case when the user change it's password and
> then is
> 	not recognized by the PAM because getpwnam returns a bad encrypted
> 	password.
>
> 	It seems that getpwnam/getspnam does not return always the good
> encrypted
> 	password for a user.
>
> 	Apache is running as a non-root user.
>
> 	In Apache logs I see, whenever the auth fails (because of
> 	getpwnam/getspnam) the err message like: "(9) Bad file number" or
> "(13)
> 	Permission denied"
>
>
> 	Thanks in advance,
> 	Adrian FLOREA
>
>
> 	P.S. all other login services (rlogin, telnet, ssh, ...) are
> filtered
> 	through PAM and work very fine.
> 	_______________________________________________
> 	SunHELP maillist  -  SunHELP at sunhelp.org
> 	http://www.sunhelp.org/mailman/listinfo/sunhelp
> _______________________________________________
> SunHELP maillist  -  SunHELP at sunhelp.org
> http://www.sunhelp.org/mailman/listinfo/sunhelp

More information about the SunHELP mailing list