I've tried to get mod_authn_pam (bug #204921) to work from inside of Apache to authenticate people against the standard system accounts (/etc/shadow) and it fails. I've dug into the source code and can confirm that it is receiving the proper data and passing the data along to PAM properly but it still fails. This is very silmilar to a bug that was recently fixed (bug #76617) where I was having problems authenticating with /usr/bin/checkpassword-pam and had to result to making it SUID root but a recent upgrade allowed me to drop the SUID bit and it would still work. See comments 15-17 on bug #76617 for the gory details. I am positive that it is the same problem here, the UID/EUID of the calling program that is causing PAM to fail. To that end I have pirated/modified some code to confirm that to myself and to the PAM developers. Attachments and more comments coming.
Created attachment 150202 [details] Test code showing the problem This is the code that I pirated/modified to show the problem.
Created attachment 150204 [details] The are the results of the testing code This is the test results for the above attached C code. The instructions for getting these results will be in the next comment.
Create the file /etc/pam.d/check_user as outlined in the top of the test results. auth required pam_unix.so account required pam_unix.so and set the permissions/ownership correctly. -rw-r--r-- 1 root root 72 Apr 17 14:00 /etc/pam.d/check_user Then create a makefile or just do this: $> gcc -lpam -lpam_misc pam-tester.c -o pam-tester $> cp pam-tester pam-tester-root $> cp pam-tester pam-tester-apache $> cp pam-tester pam-tester-tres $> sudo chown tres:tres pam-tester-tres $> sudo chown apache:apache pam-tester-apache $> sudo chown root:root pam-tester-root $> sudo chmod +s pam-tester-tres pam-tester-apache \ pam-tester-root Then run each of the executables as various users. Only the requester or a privileged user can obtain the desired results. I need for Apache to obtain the proper results for this to work. This should be the results if I read this correctly: http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/adg-security.html PAM, from the perspective of an application, is a convenient API for authenticating users. PAM modules generally have no increased privilege over that possessed by the application that is making use of it. For this reason, the application must take ultimate responsibility for protecting the environment in which PAM operates. However it seems that some low-level interaction within PAM is a bit still undefined as stated here: http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/adg-security-usre-identity.html This seems to be the culprit at first inspection. The module needs to just accept the apache web server at it's word that the requesting user is who they say they are until the password can be confirmed. Then, if the password matches the user, it will know that the user is who they say they are and return "successfully authenticated". However, neither this test app nor the module in question use either pam_get_item or pam_set_item to indicate a requesting user. This is my first foray into PAM except for simply using it or cussing at it and I'm out of ideas. Any help would be appreciated.
This looks more like a configuration problem, not a security issue... reassigning to PAM maintainers, cc security@ back if I ever missed something.
I've done a lot more reading and there is no part of pam that has elevated privs to my knowledge so it cannot read a shadow password file. It therefore requires that it is called from a program w/ elevated privs to be able to check /etc/shadow so the real problem is poor debugging messages. I'm closing this as invalid. Sorry folks.
