Cant auth as root with PAM

jazzfan · 2010-02-18 22:45:31

Hi,

I'm trying this simple code in C:

#include <security/pam_appl.h>
#include <security/pam_misc.h>
#include <security/pam_modules.h>
#include <security/pam_ext.h>

int main (int argc, char **argv) {
    pam_conv pamc = {
        misc_conv,
        NULL
    };
    pam_handle_t *pamh;

    int res;
    res = pam_start ("sudo", "root", &pamc, &pamh);
    printf ("start: %s\n", pam_strerror (pamh, res));

    res = pam_authenticate (pamh, 0);
    printf ("auth: %s\n", pam_strerror (pamh, res));

    res = pam_acct_mgmt (pamh, 0);
    printf ("mgmt: %s\n", pam_strerror (pamh, res));

    res = pam_setcred (pamh, PAM_ESTABLISH_CRED);
    printf ("setcred: %s\n", pam_strerror (pamh, res));

    res = pam_open_session (pamh, 0);
    printf ("session: %s\n", pam_strerror (pamh, res));
        
    setuid (0);
        perror ("setuid");
        printf ("Myuid is %d\n", getuid());
    setuid (1000);
    
    pam_close_session (pamh, 0);
    pam_end (pamh, 0);
    return 0;
}

And I always get this output:

start: Success
Password: 
auth: Authentication failure
mgmt: Authentication service cannot retrieve authentication info
setcred: Permission denied
session: Success
setuid: Operation not permitted
Myuid is 1000

I tried different modules like su, gdm, login etc etc, but had no luck with that. I tried to change username from "root" to my own, and it worked, but that dont have much sense then

Anyone knows whats wrong?

ataraxia · 2010-02-18 23:18:03

Try to add "debug" to the flags of each item in the auth stack for your module, and then watch auth.log for output.

Also, I don't think you can call setuid() unless you are either already root, or your program is setuid root.

jazzfan · 2010-02-20 00:11:25

I didnt get exactly what you think.

This is my pam service (/etc/pam.d/sudo)

#%PAM-1.0
auth        required    pam_unix.so
auth        required    pam_nologin.so
auth        required    pam_debug.so

And this is what I get in auth.log every time I run app:

Feb 20 01:00:41 briza unix_chkpwd[2599]: check pass; user unknown
Feb 20 01:00:41 briza unix_chkpwd[2599]: password check failed for user (root)
Feb 20 01:00:41 briza pam: pam_unix(sudo:auth): authentication failure; logname=robi uid=1000 euid=1000 tty= ruser= rhost=  user=root
Feb 20 01:00:43 briza unix_chkpwd[2600]: could not obtain user info (root)
Feb 20 01:00:43 briza pam: pam_unix(sudo:session): session opened for user root by robi(uid=1000)
Feb 20 01:00:43 briza pam: pam_unix(sudo:session): session closed for user root

If i change services, I get different messages, but this part is always the same:

Feb 20 01:00:41 briza unix_chkpwd[2599]: check pass; user unknown
Feb 20 01:00:41 briza unix_chkpwd[2599]: password check failed for user (root)

I've made some file recovery program, which needs to remount volume with right arguments to work. Instead of running whole program as root (which might be dangerouse since I am the author ), I would reather like my program to simply ask for root's password and only (u)mount as root, then droping privileges again to normal user, so it cant mess anything.

I've seen that in yaourt, for example. I tried to figure that from source of yaourt, su and sudo, but no way...

jimburnettva · 2010-02-24 16:28:05

Make sure the user your are sudo-ing (the user running your C program) as, is in the /etc/sudoers file. Just an idea is all. :-)

jazzfan · 2010-02-25 17:31:09

I'm trying to auth as root, who is in /etc/sudoers file by default.. But thanks for reply/idea anyway

Arch Linux

#1 2010-02-18 22:45:31

Cant auth as root with PAM

#2 2010-02-18 23:18:03

Re: Cant auth as root with PAM

#3 2010-02-20 00:11:25

Re: Cant auth as root with PAM

#4 2010-02-24 16:28:05

Re: Cant auth as root with PAM

#5 2010-02-25 17:31:09

Re: Cant auth as root with PAM

Board footer