Re: [gdm-list] using gdm with pam_mkhomedir
- From: Brian Cameron <Brian Cameron Sun COM>
- To: james bardin <jbardin bu edu>
- Cc: gdm-list gnome org
- Subject: Re: [gdm-list] using gdm with pam_mkhomedir
- Date: Mon, 09 Jul 2007 23:26:11 -0500
James:
Thanks, I'm starting to get closer, but I'm wondering if this might end
up as a bug/feature request.
I read a tip at the bottom of this page:
http://www.redhat.com/magazine/024oct06/features/tips_tricks/ about
using pam_oddjob_mkhomedir.so
The article makes it sound like pam_mkhomedir gets run with the
permissions of GDM, which is none for security reasons. Is there someone
around that could verify this?
I'm not exactly sure how pam_mkhomedir works, but I'm pretty confidant
that GDM runs PAM modules as the root user. Note this code from
daemon/slave.c. All the PAM stuff is done in the gdm_verify_user call:
/* just for paranoia's sake */
NEVER_FAILS_root_set_euid_egid (0, 0);
gdm_debug ("gdm_slave_wait_for_login: In loop");
username = d->preset_user;
d->preset_user = NULL;
login = gdm_verify_user (d /* the display */,
username /* username */,
TRUE /* allow retry */);
Also note that there is no seteuid, setuid, etc. calls in the
daemon/verify-pam.c code. Perhaps I'm missing something, but I'd say
this would be running as root unless the PAM module itself is dropping
permissions by calling seteuid directly.
I haven't had a chance to try it with redhat's oddjob module yet, but I
have a hack using automount as a backup plan now - a program map that
creates the home directories, and never returns mount parameters.
Brian
On 7/9/07, *Brian Cameron* <Brian Cameron sun com
<mailto:Brian Cameron sun com>> wrote:
James:
Note that the "Couldn't open session for testuser" message is coming
from
daemon/verify-pam.c in the function gdm_verify_user. This message gets
echoed if the pam_open_session function fails. So it seems that the
problem is happening in the PAM module and not in GDM.
Are you sure you are using the same PAM module for GDM as you are with
console login? Note the PamStack GDM configuration option might need
to be set to the same value you are using with other programs.
Brian
> I'm unable to get gdm working with pam_mkhomedir. The real problem is
> that gdm fails before we get to pam_mkhomedir, it seems -- due to
lack
> of a home directory.
>
> Here is the gdm log output:
> gdm[6160]: pam_krb5[6160]: authentication succeeds for 'testuser'
> (testuser bu edu <mailto:testuser bu edu>)
> gdm[6160]: Sending QUERYLOGIN == <secret> for slave 6160
> gdm[5719]: Handling message: 'QUERYLOGIN 6160 testuser'
> gdm[5719]: Got QUERYLOGIN testuser
> gdm[6160]: Couldn't open session for testuser
> gdm[6160]: writing failed session attempt record
> gdm[6160]: using username testuser
> gdm[6160]: using id
> gdm[6160]: using line :0
> gdm[6160]: using time 1183751066
> gdm[6160]: using type USER_PROCESS
> gdm[6160]: using pid 6160
> gdm[6160]: writing failed session attempt record to /var/log/btmp
> gdm[6160]: gdm_slave_wait_for_login: end verify for ''
> gdm[6160]: gdm_slave_wait_for_login: No login/Bad login
> gdm[6160]: gdm_slave_wait_for_login: In loop
>
> console and ssh login both work fine. If I login via the console
first,
> the home directory is created, then gdm logins will work. I tried
using
> gdm/PostLogin, but it doesn't get that far either.
>
> This is on CentOS5, i386 and x86_64
>
> Thanks
> -jim
>
>
>
> _______________________________________________
> gdm-list mailing list
> gdm-list gnome org <mailto:gdm-list gnome org>
> http://mail.gnome.org/mailman/listinfo/gdm-list
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
