Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
We are running Fedora Core 14 64-bit, and users who have accounts on the server are having problems changing their respective passwords via the passwd command. The command fails with the following error message:
Quote:
passwd: Authentication token manipulation error
Significantly this message appears on-screen after a few seconds of either activity or no activity.
I have already recreated the /etc/shadow file via the pwconv command syntax. Even after I had done this, the problem has continued to occur. The permissions on the /usr/bin/passwd file appear to be correct including the sticky bit being present:
-rwsr-xr-x 1 root root 27936 Aug 11 2010 passwd
Is this a case where the passwd binary is corrupt, and needs to be restored from backup, or is there something more fundamental going on here?
Thanks.
Last edited by kaplan71; 06-14-2011 at 09:52 AM.
Reason: did not finish message
Do you recall doing any PAM tinkering before the problem started occurring? If so, that would be the first place to check (/etc/pam.d/passwd and/or /etc/pam.d/system-auth on Fedora systems).
If that yields no promising leads, then use strace(1) to observe where the passwd(1) program is falling down.
BTW, it would be strange for a binary to become "corrupt" on a Linux system in the way (I think) you're thinking. Such an event would probably be preceded by lots of noisy disk errors and a system that had difficulty booting at all.
I checked the /etc/pam.d/system-auth file, and I vaguely remember doing some tinkering to it. I don't remember what the default settings were for the file. The current text of the file is shown below:
Code:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password required pam_unix.so md5 remember=12 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
As far as the /etc/pam.d/passwd file is concerned, that does not appear to have been changed in any way. Its context is the following:
Code:
%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
The problem is probably with the system-auth file, and it should probably be put back to its default setting. The question is, what is the correct syntax for it? One other thing, I was mistaken in the OS version of the server. It is the CentOS 5.6 distribution that is on the server.
Take the remember=12 directive out of that line (i.e. remove that key/value pair, not the whole line). See if it works afterward.
On CentOS 5, per /usr/share/doc/pam-0.99.6.2/txts/README.pam_unix, the remember=n directive should work, though. Maybe it wasn't implemented correctly - assuming that is the problem.
Another note: when you're seeing PAM problems, two good places to start checking for clues are /var/log/secure and /var/log/messages.
The 'permission denied' message would imply the suid bit on passwd(1) is not working properly. Have you changed anything else recently that you can think of? (Filesystem mount options, perhaps?)
I ran the chmod 600 command on the shadow file, and tried changing the root account's password. The same error message continued to occur. Because the change did not help matters, I reran the chmod command, and reverted the permissions back
to the 400 status for the shadow file.
I'm running short on ideas this morning. If you can afford to schedule a downtime, I'd reboot the system to single-user mode and force a fsck(8) on /dev/VolGroup00/LogVol00.
Thanks for everyone's suggestions. I was able to solve the problem after trying several things.
I first changed the system to single-user mode via the init 1 command. Once there, I ran the command:
Code:
fsck /dev/VolGroup00/LogVol00
and corrected a series of outstanding errors on the filesytem. After that, the system was returned to runlevel 5 via the init 5 command. The error message continued to occur.
I then tried to run the passwd command to change the root account's password while changing shadow to read/write status for root using the syntax:
Code:
# chmod 600 /etc/shadow && passwd
This attempt was also unsuccessful.
After that, I decided to do a "generic" install of the operating system on another computer. Once that was done, I made a copy of the /etc/pam.d/system-auth-ac file on the problem computer, and copied over a "fresh" version of the file from the second computer.
The replacement file appeared to do the trick, because when I ran the passwd command after the replacement file was in place, I was able to change the root account's password without any error.
Yes, we'd like to see the borked system-auth-ac if you kept a copy (or if you can pull one from backups). I'm a little surprised passwd(1)'s PAM calls were even reading it. I did not see reference to it in the stacks you posted.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.