Re: pam_tally and unlocking user accounts

From: "Ray Strode" <halfline gmail com>
To: "Ritesh Khadgaray" <khadgaray gmail com>
Cc: tmraz redhat com, Screensaver-list gnome org
Subject: Re: pam_tally and unlocking user accounts
Date: Sun, 8 Jul 2007 01:06:22 -0400

Hi,

  sorry if this has been asked before, I have query with regard to
pam_tally and gnome-screensaver. if pam_tally is set in system-auth on
fedora, gnome screensaver is not able to unlock the screen.

  Reason being, pam_tally needs root privileges to write to
"/var/log/faillog" and gnome-screensaver-dialog runs as a regular user.


This is a bug in pam_tally, it should use a setuid helper binary to
write to /var/log/failog (and the binary should look at the real uid
it's running as).  This is analogous to pam_unix which uses
unix_chkpasswd to look at the shadow file and verify the logged in
user's password (and no-one elses).

There is a bug about it *somewhere* in red hat bugzilla, but I can't
seem to find it.  IIRC, Tomas was planning on rewriting the module
from scratch to solve this issue and a few other problems.

Tomas, did that ever happen, or did it get punted?

--Ray

Follow-Ups:
- Re: pam_tally and unlocking user accounts
  - From: Tomas Mraz

References:
- pam_tally and unlocking user accounts
  - From: Ritesh Khadgaray

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]