Xscreensaver and /etc/passwd + shadow file permissions
DebianThis forum is for the discussion of Debian Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Xscreensaver and /etc/passwd + shadow file permissions
For xscreensaver or any other program where I need to enter authentication, I need to have the file permissions for /etc/passwd and /etc/shadow set to 755. I have tried with other combinations, and it only works when they are executable. I don't understand why, shouldn't both of those files be only accessible and executable by the root user?
Could someone explain? Thanks.
No way
/etc/passwd should be rw-r-r
/etc/shadow should be r---
Yes, but if I have /etc/shadow set for r--- I can't login as my user, or from xscreensaver.
I added my user to the shadow group. Then gave the /etc/shadow file r-x permissions for that group. I'd like to have it so I don't have to do this even.
Code:
Dec 22 06:03:16 delarocha xscreensaver[2011]: pam_unix(xscreensaver:auth): conversation failed
Dec 22 06:03:16 delarocha xscreensaver[2011]: pam_unix(xscreensaver:auth): auth could not identify password for [web]
Dec 22 06:17:01 delarocha CRON[23306]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec 22 06:17:01 delarocha CRON[23306]: pam_unix(cron:session): session closed for user root
Dec 22 06:23:00 delarocha su[23595]: Successful su for root by web
Dec 22 06:23:00 delarocha su[23595]: + /dev/pts/0 web:root
Dec 22 06:23:00 delarocha su[23595]: pam_unix(su:session): session opened for user root by web(uid=1000)
Dec 22 06:24:38 delarocha unix_chkpwd[23682]: check pass; user unknown
Dec 22 06:24:42 delarocha unix_chkpwd[23686]: check pass; user unknown
Dec 22 06:24:42 delarocha unix_chkpwd[23686]: password check failed for user (web)
Dec 22 06:24:42 delarocha xscreensaver[2011]: pam_unix(xscreensaver:auth): authentication failure; logname= uid=1000 euid=1000 tty=:0.0 ruser= rhost= user=web
Dec 22 06:24:43 delarocha xscreensaver[2011]: FAILED LOGIN 1 ON DISPLAY ":0", FOR "web"
Dec 22 06:24:49 delarocha unix_chkpwd[23693]: check pass; user unknown
Dec 22 06:24:56 delarocha login[4058]: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Dec 22 06:24:56 delarocha systemd: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Dec 22 06:24:56 delarocha systemd: pam_ck_connector(systemd-user:session): cannot determine display-device
Dec 22 06:24:56 delarocha systemd-logind[832]: New session 18 of user root.
Dec 22 06:24:56 delarocha login[23711]: ROOT LOGIN on '/dev/tty1'
Dec 22 06:25:01 delarocha CRON[23724]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec 22 06:25:01 delarocha CRON[23724]: pam_unix(cron:session): session closed for user root
Dec 22 06:25:19 delarocha login[4058]: pam_unix(login:session): session closed for user root
Dec 22 06:25:19 delarocha systemd-logind[832]: Removed session 18.
Dec 22 06:25:19 delarocha systemd: pam_unix(systemd-user:session): session closed for user root
Dec 22 06:25:22 delarocha xscreensaver[2011]: pam_unix(xscreensaver:auth): conversation failed
Dec 22 06:25:22 delarocha xscreensaver[2011]: pam_unix(xscreensaver:auth): auth could not identify password for [web]
#
# The PAM configuration file for the Shadow `su' service
#
# This allows root to su without passwords (normal operation)
auth sufficient pam_rootok.so
# Uncomment this to force users to be a member of group root
# before they can use `su'. You can also add "group=foo"
# to the end of this line if you want to use a group other
# than the default "root" (but this may have side effect of
# denying "root" user, unless she's a member of "foo" or explicitly
# permitted earlier by e.g. "sufficient pam_rootok.so").
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
# auth required pam_wheel.so
# Uncomment this if you want wheel members to be able to
# su without a password.
# auth sufficient pam_wheel.so trust
# Uncomment this if you want members of a specific group to not
# be allowed to use su at all.
# auth required pam_wheel.so deny group=nosu
# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on su usage.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account requisite pam_time.so
# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
#
# parsing /etc/environment needs "readenv=1"
session required pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session required pam_env.so readenv=1 envfile=/etc/default/locale
# Defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user
# also removes the user's mail spool file.
# See comments in /etc/login.defs
#
# "nopen" stands to avoid reporting new mail when su'ing to another user
session optional pam_mail.so nopen
# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session required pam_limits.so
# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-session
I am logged in as web.
I'm using i3 WM, so xscreensaver is set to start as soon as I log in. From there I use a keybinding for
Code:
xscreensaver-command -l
Debian Testing.
I can use su yes.
Code:
web@delarocha:~/.i3$ su
Password:
root@delarocha:/home/web/.i3#
common-auth
Code:
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth [success=1 default=ignore] pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
common-account
Code:
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
#
# here are the per-package modules (the "Primary" block)
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
~
Here are the permissions for passwd and shadow if you'd like to see them. Right now I'm using the group 'shadow', this lets me login and use my password for things just fine.
Code:
-rw-r--r-- 1 root root 2490 Dec 23 00:49 passwd
-rw-r-x---+ 1 root shadow 1486 Dec 21 21:02 shadow
As you have debian on your system, it would be better if you ask debian support about this. They would say more about debian policy for setting /etc/passwd and etc/shadow r-x
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
