LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-14-2005, 11:52 PM   #1
Balderayne
LQ Newbie
 
Registered: Jul 2005
Location: New York
Posts: 9

Rep: Reputation: 0
PAM broken - can I uninstall?


Hello all...

I have a problem. PAM was evidentally installed and in use on one of our Enterprise 3 ES servers and we didn't realize it. At some point when changes were made to "passwd" and some programs were re0installed -- those apps stopped working properly even though their "pam" files were intact.

I am not at all certain that we even NEEd PAM on this server. I there a clean way to remove it without blowing-up the whole server?

Thanks...

David
 
Old 10-15-2005, 06:52 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599
At some point when changes were made to "passwd" and some programs were re0installed -- those apps stopped working properly even though their "pam" files were intact.
Could you elaborate on what passwd changes where made and what apps where reinstalled and/or stopped working? Was PAM upgradedas well? What "evidence" do you have the problem lies with PAM? Did you try using the debug flag in the pam service files? Anything in the system logs?


I am not at all certain that we even NEEd PAM on this server.
Yes you do, it's just nobody told you so.


I there a clean way to remove it without blowing-up the whole server?
In my best HAL voice: Don't do that Dave...
 
Old 10-15-2005, 12:55 PM   #3
Balderayne
LQ Newbie
 
Registered: Jul 2005
Location: New York
Posts: 9

Original Poster
Rep: Reputation: 0
unSpawn... thanks...

Well... here's the deal.

We had some user issues with Samba and when we were looking through the "passwd" file we noticed that the user primary and secondary group number were skewed i.e.:

User1 123:456
User2 456:789
User3 789:012
and so on... which it had not been and one of my guys decided to fix everything to match the "group" file. Well... all HELL broke loose and we started having problems with our email system, Citadel (www.citadel.org).

Prior to this issue, we had been getting odd responses from PAM in the messages log and so, by searching the kernel.org site found the idea to create/modify "other" in "pam.d" to look like this:

Code:
#%PAM-1.0
#auth     required       /lib/security/$ISA/pam_deny.so
#account  required       /lib/security/$ISA/pam_deny.so
#password required       /lib/security/$ISA/pam_deny.so
#session  required       /lib/security/$ISA/pam_deny.so

auth     required       pam_unix.so
account  required       pam_unix.so
password required       pam_unix.so
session  required       pam_unix.so
which had corrected for issues of users not being able to access mail.

We have now, multiple times, blown away and re-installed CITADEL and cannot get it to link up with the user profiles. I am kind of assuming, possibly dangerously, that the problem lies with our mods to the "passwd" file and PAM. The latter as it had been a bit of an issue previously. Needless to say, I know very little about PAM and it is confusing the Hell out of me now that I am in this other mess. I have a few books that touch on it but they leave a bit to be desired. I have, in the mean time, re-configured sendmail and imap to handle mail while I figure out the rest of this disaster.

Does this make any more sense? I am a bit frazzled by this to say the very least.

David - Leaving Pad Bay doors closed for now.

Last edited by Balderayne; 10-15-2005 at 12:56 PM.
 
Old 10-16-2005, 06:00 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599
we noticed that the user primary and secondary group number were skewed
What's the scope of the skewage? All users, all wetware users or just a few? Can you trace it back in the logs? Can you link that to actions on the system like passwd changes or sw upgrades?


Prior to this issue, we had been getting odd responses from PAM in the messages log
Could you elaborate on that? I mean PAM could be defined as being "just" an intermediate between autentication databases and applications and therefore *couldn't* fsck things up like that on it's own.


one of my guys decided to fix everything
I would be interested to know how he "fixed" it.
 
Old 10-16-2005, 05:40 PM   #5
Noth
Member
 
Registered: Jun 2005
Distribution: Debian
Posts: 356

Rep: Reputation: 30
Quote:
I am not at all certain that we even NEEd PAM on this server. I there a clean way to remove it without blowing-up the whole server?
AFAIK PAM is the authentication backend for virtually every base package in nearly every Linux distribution. Removing PAM would not only break things, it would set you back to like the year 1992 functionality-wise =)
 
Old 10-16-2005, 07:20 PM   #6
msantinho
Member
 
Registered: Oct 2005
Location: Lisbon
Distribution: Slackware
Posts: 55

Rep: Reputation: 17
Quote:
AFAIK PAM is the authentication backend for virtually every base package in nearly every Linux distribution. Removing PAM would not only break things, it would set you back to like the year 1992 functionality-wise =)
You forgot to mention that Slackware does not support PAM out of the box.
 
Old 10-16-2005, 07:39 PM   #7
Noth
Member
 
Registered: Jun 2005
Distribution: Debian
Posts: 356

Rep: Reputation: 30
Quote:
You forgot to mention that Slackware does not support PAM out of the box.
I believe that was covered by my the "nearly every Linux distribution" part of my comment.

Slackware is the odd man out on a lot of fronts, not just with regards to PAM, just because Pat is trying to emulate a BSD environment with a Linux kernel for some unknown reason. And IMO he's an idiot for not using PAM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Need to uninstall SuSe 8.1 & there is no uninstall jwhibdon Linux - Software 10 10-26-2006 11:57 AM
uninstall from src if no make uninstall dtra Linux - Software 3 04-29-2005 09:13 AM
Unable to uninstall broken package - anyone dealt successfuly with that? karel2005 Fedora - Installation 4 01-03-2005 07:33 AM
vsftpd + pam + virtual users - Pam cannot load database file. mdkelly069 Linux - Networking 3 09-22-2004 11:07 PM
Source uninstall with 'make uninstall' HOWTO! Creeps Linux - Newbie 6 09-14-2004 11:03 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:27 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration