Hi, I have been looking at mod_auth_pam, and found this bug:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=246222 What I don't quite understand is the role of unix_chkpw, and why it's failing. If I set the +r bit on shadow, of course everything works like you say, but unix_chkpw doesn't get launched. If it's not readable, apparently, unix_chkpw gets launched to try and authenticate? Strace of my apache process: 707 open("/etc/shadow", O_RDONLY) = -1 EACCES (Permission denied) 707 geteuid32() = 33 707 pipe([14, 15]) = 0 707 rt_sigprocmask(SIG_BLOCK, [CHLD], NULL, 8) = 0 707 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb798f708) = 718 707 write(15, "nullok\0\0", 8) = 8 707 write(15, "XXXXX\0", 7) = 7 707 close(14) = 0 707 close(15) = 0 707 waitpid(718, <unfinished ...> 718 close(15) = 0 718 dup2(14, 0) = 0 718 execve("/sbin/unix_chkpwd", ["/sbin/unix_chkpwd", "davidw"], [/* 0 vars */]) = 0 ... don't see it droppping privs ... 718 read(0, "nullok\0\0", 8) = 8 718 read(0, "XXXXXX\0", 200) = 7 <- it's correct 718 open("/etc/passwd", O_RDONLY) = 15 718 fcntl64(15, F_GETFD) = 0 718 fcntl64(15, F_SETFD, FD_CLOEXEC) = 0 718 open("/etc/passwd", O_RDONLY) = 16 718 fcntl64(16, F_GETFD) = 0 718 fcntl64(16, F_SETFD, FD_CLOEXEC) = 0 718 _llseek(16, 0, [0], SEEK_CUR) = 0 718 fstat64(16, {st_mode=S_IFREG|0644, st_size=1882, ...}) = 0 718 mmap2(NULL, 1882, PROT_READ, MAP_SHARED, 16, 0) = 0xb7ef7000 718 _llseek(16, 1882, [1882], SEEK_SET) = 0 718 munmap(0xb7ef7000, 1882) = 0 718 close(16) = 0 718 close(15) = 0 718 open("/etc/shadow", O_RDONLY) = -1 EACCES (Permission denied) But it should be setguid... [EMAIL PROTECTED]:~# ls -l /sbin/unix_chkpwd -rwxr-sr-x 1 root shadow 14988 Sep 12 2005 /sbin/unix_chkpwd Shadow file is ok: -rw-r----- 1 root shadow 1437 Apr 5 17:55 /etc/shadow I'm a little rusty with my unix security stuff, but... why is it even launching this auxiliary program if it can't do anything it can't in the first place? Also... why can't it read shadow? Ideas? This really should be possibility via some sort of *very, very* simple setuid auth mechanism. -- Webster srl Sede legale: Via del Seminario, 3 35122 Padova Sede operativa: Via S. Breda, 28 35010 Limena (PD) Tel. +39 049 8842188 Email: [EMAIL PROTECTED] Visita www.libreriauniversitaria.it -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
