Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 267498 - sys-process/at-[pam] tries accessing /etc/shadow after dropping root privileges
Summary: sys-process/at-[pam] tries accessing /etc/shadow after dropping ro...
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: x86 Linux
: High normal (vote)
Assignee: No maintainer - Look at if you want to take care of it
Depends on:
Reported: 2009-04-26 05:30 UTC by Tero Pelander
Modified: 2023-01-28 20:30 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tero Pelander 2009-04-26 05:30:31 UTC
If at is compiled with USE=pam then users that are listed only in /etc/passwd don't work. Ldap-users do work. Explanation of reasons in

For local users following line is printed into syslog.
[atd] Authentication service cannot retrieve authentication info

Work around is to replace "account" line in /etc/pam.d/atd with following
account required - deny UPPERCASE characters in username (required because of ldap...)

My /etc/pamd.d/system-auth
auth	requisite
auth	sufficient try_first_pass nodelay
auth	sufficient use_first_pass
auth	required

account	required
account	sufficient
account	sufficient ignore_unknown_user

password required min=disabled,8,8,8,7 passphrase=0 random=0
password sufficient use_authtok
password sufficient md5 shadow use_authtok
password required

session required
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2009-04-26 10:48:05 UTC
Please don't CC maintainers/herds yourself. Leave that to the bug-wranglers.

*** This bug has been marked as a duplicate of bug 267438 ***
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2009-04-26 13:10:11 UTC
Lars, okay for the CC (somewhat) but if you read the bug you duped this against, I explicitly asked for this one!
Comment 3 SpanKY gentoo-dev 2009-04-27 04:56:01 UTC
pam team can modify the pam.d file however it sees fit
Comment 4 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2009-04-27 05:11:38 UTC
(In reply to comment #2)
> Lars, okay for the CC (somewhat) but if you read the bug you duped this
> against, I explicitly asked for this one!

Sorry for that. I was in a rush when I wrangled this bug.
Comment 5 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-10-31 16:05:37 UTC
This is a bug in at, not in PAM, it shouldn't drop root before calling pam_start… at a minimum it should save the DAC_OVERRIDE cap before doing that.