[SunHELP] solaris 2.8 getpwnam() strange behaviour ...

DAUBIGNE Sebastien - BOR ( SDaubigne@bordeaux-bersol.sema.slb.com ) SDaubigne at bordeaux-bersol.sema.slb.com
Thu Mar 6 08:06:42 CST 2003 

Theoretically, the Apache process which calls the PAM lib should not be able
to open the shadow file (which is what the getspnam() function is supposed
to do), because it's not euid root. So getspnam() should never return the
good encrypted password in such circumstances.

So, the question is : are you sure there is no bug in the code (mis-tested
return code, or so) which makes the module return PAM_SUCCESS even if the
encrypted password is not similar with the encrypted user input ?

Maybe you should try to truss (-aelfv all)  the process which calls the PAM
module to analyse the failing syscall (theoretically you should see
something like open("/etc/shadow"....)=EACCES).

---
Sebastien DAUBIGNE
sdaubigne at bordeaux-bersol.sema.slb.com
<mailto:sdaubigne at bordeaux-bersol.sema.slb.com>  - (+33)5.57.26.56.36
SchlumbergerSema - SGS/DWH/Pessac

	-----Message d'origine-----
	De:	Adrian.Florea at alcatel.ro [SMTP:Adrian.Florea at alcatel.ro]
	Date:	jeudi 6 mars 2003 12:31
	@:	DAUBIGNE Sebastien  - BOR (
SDaubigne at bordeaux-bersol.sema.slb.com )
	Cc:	sunhelp at sunhelp.org
	Objet:	RE: [SunHELP] solaris 2.8 getpwnam() strange behaviour ...

	Hi,

	On Thu, 6 Mar 2003, DAUBIGNE Sebastien  - BOR (
SDaubigne at bordeaux-bersol.sema.slb.com ) wrote:

	> You said  : "getpwnam returns a bad encrypted password"
	>
	> As stated in the man page of getpwnam()  :
	>
	> "The pw_passwd field in the passwd structure  should  not  be
	> used  as the encrypted password for the user; use getspnam()
	> or getspnam_r() instead. See getspnam(3C)"

	First I'm trying getpwnam() and then I call getspnam();


	> Now, if you using getspnam() instead, I guess it should be called
from
	> a process which has euid of root, because of /etc/shadow access,
which
	> it seems not to be the case ("Apache is running as a non-root
user").
	> >From man getspnam() :
	> "Access to the /etc/shadow file is generally restricted to
processes running
	>
	> as  the  super-user (root)"
	>

	I call both functions from inside a PAM AUTH module (library).

	then several login services are filtered through PAM.

	All of them work fine (rlogin, su, telnet, ssh, CDE/dtlogin, ...)
but
	Apache with a PAM module works in strange ways ... i.e. in this case
	getpwnam()/getspnam() calls are successful partialy (it fails once
from 4
	tries for example).

	> ---
	> Sebastien DAUBIGNE
	> sdaubigne at bordeaux-bersol.sema.slb.com
	> <mailto:sdaubigne at bordeaux-bersol.sema.slb.com>  -
(+33)5.57.26.56.36
	> SchlumbergerSema - SGS/DWH/Pessac
	>
	> 	-----Message d'origine-----
	> 	De:	Adrian.Florea at alcatel.ro
[SMTP:Adrian.Florea at alcatel.ro]
	> 	Date:	jeudi 6 mars 2003 11:06
	> 	@:	sunhelp at sunhelp.org
	> 	Objet:	[SunHELP] solaris 2.8 getpwnam() strange behaviour
...
	>
	> 	hello guys,
	>
	> 	Please, give me a feedback if you heared of such a problem:
	>
	> 	- I have a web user interface in which a user can chnage his
	> password.
	> 	- I'm using as backend Apache + a PAM auth Apache module
	> 	- PAM modules are also customized by me
	>
	> 	inside the PAM authentication module I make a call to
	> getpwnam/getspnam
	> 	but between subsequent calls to these functions different
bad values
	> are
	> 	returned. That's the case when the user change it's password
and
	> then is
	> 	not recognized by the PAM because getpwnam returns a bad
encrypted
	> 	password.
	>
	> 	It seems that getpwnam/getspnam does not return always the
good
	> encrypted
	> 	password for a user.
	>
	> 	Apache is running as a non-root user.
	>
	> 	In Apache logs I see, whenever the auth fails (because of
	> 	getpwnam/getspnam) the err message like: "(9) Bad file
number" or
	> "(13)
	> 	Permission denied"
	>
	>
	> 	Thanks in advance,
	> 	Adrian FLOREA
	>
	>
	> 	P.S. all other login services (rlogin, telnet, ssh, ...) are
	> filtered
	> 	through PAM and work very fine.
	> 	_______________________________________________
	> 	SunHELP maillist  -  SunHELP at sunhelp.org
	> 	http://www.sunhelp.org/mailman/listinfo/sunhelp
	> _______________________________________________
	> SunHELP maillist  -  SunHELP at sunhelp.org
	> http://www.sunhelp.org/mailman/listinfo/sunhelp
	_______________________________________________
	SunHELP maillist  -  SunHELP at sunhelp.org
	http://www.sunhelp.org/mailman/listinfo/sunhelp

More information about the SunHELP mailing list