-   Linux - Security (
-   - not playing nice with gnome-screensaver?? (

ricky_ds 06-28-2007 09:50 AM not playing nice with gnome-screensaver??
Hello all,

I've configured pam on our new RHEL5 and found out that everything works as expected, except with the gnome-screensaver. I've then configured /etc/pam.d/gnome-screensaver separately to find out why.

Here's the file:


# Fedora Core
#auth        include      system-auth
auth        required
auth        required onerr=succeed
auth        sufficient nullok try_first_pass likeauth
auth        requisite uid >= 500 quiet
auth        required

account    include      system-auth
password  include      system-auth
session    include      system-auth

# SuSE/Novell
#auth      include      common-auth
#account    include      common-account
#password  include      common-password
#session    include      common-session

I've found out that if I have "onerr=fail" as it is in system-auth, it wouldn't work, with onerr=succeed it works. So where does it fail?

/var/log/secure gives the answer:


gnome-screensaver-dialog: pam_tally(gnome-screensaver:account): Error opening /var/log/faillog for update

ll /var/log/faillog
-rw------- 1 root root 3196800 Jun 28 16:42 /var/log/faillog

I don't see anything wrong here, the login programs must have the according suid-bit so that they can write in this file. At least ssh-logins work on the machine with a regular user.

So, does the login program of the gnome-screensaver-dialog not have the suid bit? Or am I searching on the wrong path?

Any help is welcome.

I did another test which confirmed that it tries to write with my regular user:

chmod 777 /var/log
rm /var/log/faillog
(login through screensaver)
ll /var/log/faillog
-rw------- 1 myuser myuser 25632 Jun 29 08:52 /var/log/faillog

Doing the same but logging in as regular user through ssh will create the file with root:root as the owner.

Setting the rights on the file as 666 won't help either, because it will trigger another error message, namely "/var/log/faillog is either world writable or not a normal file"

ricky_ds 06-29-2007 02:11 AM

solved: known bug, workaround: not use pam_tally
Found out here
that the thing with the gnome-screensaver and other programs is a known issue.

All times are GMT -5. The time now is 10:39 PM.