LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-28-2007, 10:50 AM   #1
ricky_ds
Member
 
Registered: Aug 2004
Location: Bern, Switzerland
Distribution: Kubuntu, FC, RHEL
Posts: 48
Blog Entries: 2

Rep: Reputation: 17
pam_tally.so not playing nice with gnome-screensaver??


Hello all,

I've configured pam on our new RHEL5 and found out that everything works as expected, except with the gnome-screensaver. I've then configured /etc/pam.d/gnome-screensaver separately to find out why.

Here's the file:
Code:
#%PAM-1.0

# Fedora Core
#auth        include       system-auth
auth        required      pam_env.so
auth        required      pam_tally.so onerr=succeed
auth        sufficient    pam_unix.so nullok try_first_pass likeauth
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account    include      system-auth
password   include      system-auth
session    include      system-auth

# SuSE/Novell
#auth       include      common-auth
#account    include      common-account
#password   include      common-password
#session    include      common-session
I've found out that if I have "onerr=fail" as it is in system-auth, it wouldn't work, with onerr=succeed it works. So where does it fail?

/var/log/secure gives the answer:

Code:
gnome-screensaver-dialog: pam_tally(gnome-screensaver:account): Error opening /var/log/faillog for update
Code:
ll /var/log/faillog
-rw------- 1 root root 3196800 Jun 28 16:42 /var/log/faillog
I don't see anything wrong here, the login programs must have the according suid-bit so that they can write in this file. At least ssh-logins work on the machine with a regular user.

So, does the login program of the gnome-screensaver-dialog not have the suid bit? Or am I searching on the wrong path?

Any help is welcome.

Edit:
I did another test which confirmed that it tries to write with my regular user:
Code:
chmod 777 /var/log
rm /var/log/faillog
(login through screensaver)
ll /var/log/faillog
-rw------- 1 myuser myuser 25632 Jun 29 08:52 /var/log/faillog
Doing the same but logging in as regular user through ssh will create the file with root:root as the owner.

Setting the rights on the file as 666 won't help either, because it will trigger another error message, namely "/var/log/faillog is either world writable or not a normal file"

Last edited by ricky_ds; 06-29-2007 at 02:58 AM.
 
Old 06-29-2007, 03:11 AM   #2
ricky_ds
Member
 
Registered: Aug 2004
Location: Bern, Switzerland
Distribution: Kubuntu, FC, RHEL
Posts: 48
Blog Entries: 2

Original Poster
Rep: Reputation: 17
solved: known bug, workaround: not use pam_tally

Found out here http://www.redhat.com/archives/rhelv.../msg00022.html
that the thing with the gnome-screensaver and other programs is a known issue.
 
1 members found this post helpful.
  


Reply

Tags
login, pam, screensaver


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
server not playing nice!!! Raouligan Linux - Server 1 03-17-2007 07:57 AM
Ubuntu and XP not playing nice. kojima Linux - Distributions 8 10-13-2004 06:29 PM
Grub and XP not playing nice kojima Linux - Software 1 10-13-2004 10:07 AM
Gmplayer Not Playing Nice With Fluxbox 0.9.7 Crashed_Again Linux - Software 3 01-13-2004 01:50 PM
Windows not playing nice.... absolute0net Linux - Networking 0 07-07-2003 09:03 AM


All times are GMT -5. The time now is 10:58 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration