Authentication using PAM in Linux. Why it may fail running from some users?

Question

I have written a simple application to authenticate user using PAM the common way: pam_start(), pam_authenticate() + my own conversation function + pam_end().

If application is run under the user who's credentials are being checked, authentication is succeeded. Otherwise, if application is run from user A to check credentials of user B, the authentication is failed. (

My question: why? As a service name passed to pam_start() I have tried also login as well as passwd. Nothing has changed. Which direction to go to debug the problem? Or possibly I should use another pam service to perform the task?

p.s. user 'A' in the second case is a user with no password and /bin/false shell.

Answer 1

User A might not have the permission to read the password file /etc/shadow. This is one reason why credential checking programs usually require root privileges.

So: Does it work for user A and user B if you execute the program with root privileges / as the root user?

Answer 2

How are you checking the "credentials"? Is it some file being read? Can user A read that file?

Service name passed to pam_start does not affect what the process can do. Note that programs that need to do similar things, like su or passwd are actually setuid programs.

Also, watch out not to create security holes in your application/module by allowing user A to impersonate user B.