Re: pam_tally and unlocking user accounts


  sorry if this has been asked before, I have query with regard to
pam_tally and gnome-screensaver. if pam_tally is set in system-auth on
fedora, gnome screensaver is not able to unlock the screen.

  Reason being, pam_tally needs root privileges to write to
"/var/log/faillog" and gnome-screensaver-dialog runs as a regular user.

This is a bug in pam_tally, it should use a setuid helper binary to
write to /var/log/failog (and the binary should look at the real uid
it's running as).  This is analogous to pam_unix which uses
unix_chkpasswd to look at the shadow file and verify the logged in
user's password (and no-one elses).

There is a bug about it *somewhere* in red hat bugzilla, but I can't
seem to find it.  IIRC, Tomas was planning on rewriting the module
from scratch to solve this issue and a few other problems.

Tomas, did that ever happen, or did it get punted?


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]