LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   pam_tally.so not playing nice with gnome-screensaver?? (https://www.linuxquestions.org/questions/linux-security-4/pam_tally-so-not-playing-nice-with-gnome-screensaver-565113/)

ricky_ds 06-28-2007 10:50 AM

pam_tally.so not playing nice with gnome-screensaver??
 
Hello all,

I've configured pam on our new RHEL5 and found out that everything works as expected, except with the gnome-screensaver. I've then configured /etc/pam.d/gnome-screensaver separately to find out why.

Here's the file:
Code:

#%PAM-1.0

# Fedora Core
#auth        include      system-auth
auth        required      pam_env.so
auth        required      pam_tally.so onerr=succeed
auth        sufficient    pam_unix.so nullok try_first_pass likeauth
auth        requisite    pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account    include      system-auth
password  include      system-auth
session    include      system-auth

# SuSE/Novell
#auth      include      common-auth
#account    include      common-account
#password  include      common-password
#session    include      common-session

I've found out that if I have "onerr=fail" as it is in system-auth, it wouldn't work, with onerr=succeed it works. So where does it fail?

/var/log/secure gives the answer:

Code:

gnome-screensaver-dialog: pam_tally(gnome-screensaver:account): Error opening /var/log/faillog for update
Code:

ll /var/log/faillog
-rw------- 1 root root 3196800 Jun 28 16:42 /var/log/faillog

I don't see anything wrong here, the login programs must have the according suid-bit so that they can write in this file. At least ssh-logins work on the machine with a regular user.

So, does the login program of the gnome-screensaver-dialog not have the suid bit? Or am I searching on the wrong path?

Any help is welcome.

Edit:
I did another test which confirmed that it tries to write with my regular user:
Code:

chmod 777 /var/log
rm /var/log/faillog
(login through screensaver)
ll /var/log/faillog
-rw------- 1 myuser myuser 25632 Jun 29 08:52 /var/log/faillog

Doing the same but logging in as regular user through ssh will create the file with root:root as the owner.

Setting the rights on the file as 666 won't help either, because it will trigger another error message, namely "/var/log/faillog is either world writable or not a normal file"

ricky_ds 06-29-2007 03:11 AM

solved: known bug, workaround: not use pam_tally
 
Found out here http://www.redhat.com/archives/rhelv.../msg00022.html
that the thing with the gnome-screensaver and other programs is a known issue.


All times are GMT -5. The time now is 08:37 AM.