CODEWITHSUNDEEP
clinuxpam
mrleo
mrleo

Reputation: 11

How to hash check when shadow not readable in pam_unix?

I am playing with Linux PAM module and I am confused how it is possible to successfully authenticate the executing user, when the user has no access to the shadow file.

As I saw with other applications, access to the shadow file is granted via SETUID to root, but this is not the scope of my question :)

my check user application:

int main()
{
    struct pam_conv conv = {
        misc_conv,
        NULL
    };
    pam_handle_t *pamh=NULL;
    int retval;
    const char *user=NULL;
    user = argv[1];
    retval = pam_start("check_user", user, &conv, &pamh);
    if (retval == PAM_SUCCESS)
        retval = pam_authenticate(pamh, 0);
    if (retval == PAM_SUCCESS)
        fprintf(stdout, "Authenticated\n");
    else
        fprintf(stdout, "NOT\n");
    pam_end(pamh,retval);
}

My /etc/pam.d/check_user:

auth    required                        pam_unix.so

When I execute the program as user testi with proper password: ./check_user testi Password: I get a successful 'Authenticated'. Whenever I enter the wrong password, or try with another user I get Authentication Failed. The latter is clear to me, but I do not understand, how for user testi I get different results, depending on the correctness of the password.

In strace I see, that the access to the shadow file is denied and that the process' status proc file is check for the UID. But how is the password checked without access to shadow file?

Thanks a lot

Upvotes: 1

Views: 375

Answers (1)

Nominal Animal
Nominal Animal

Reputation: 39298

I am playing with Linux PAM module and I am confused how it is possible to successfully authenticate the executing user, when the user has no access to the shadow file.

As I saw with other applications, access to the shadow file is granted via SETUID to root, but this is not the scope of my question :)

No, it definitely is in the scope of your question.

When PAM needs to authenticate an username-password pair, it forks a child process that executes the setuid-root helper (/sbin/unix_chkpwd for pam_unix) to do the verification. The username and password are passed to the trusted helper process. The helper has sufficient privileges to do the verification, and simply responds whether the verification was successful.

In particular, the shadow entry data corresponding to the user is never passed to the application; that information stays within the privileged helper process.

Upvotes: 2

Related Questions