Re: pam_tally and unlocking user accounts

On Sun, 2007-07-08 at 01:06 -0400, Ray Strode wrote:
> Hi,
> >   sorry if this has been asked before, I have query with regard to
> > pam_tally and gnome-screensaver. if pam_tally is set in system-auth on
> > fedora, gnome screensaver is not able to unlock the screen.
> >
> >   Reason being, pam_tally needs root privileges to write to
> > "/var/log/faillog" and gnome-screensaver-dialog runs as a regular user.
> This is a bug in pam_tally, it should use a setuid helper binary to
> write to /var/log/failog (and the binary should look at the real uid
> it's running as).  This is analogous to pam_unix which uses
> unix_chkpasswd to look at the shadow file and verify the logged in
> user's password (and no-one elses).
> There is a bug about it *somewhere* in red hat bugzilla, but I can't
> seem to find it.  IIRC, Tomas was planning on rewriting the module
> from scratch to solve this issue and a few other problems.
> Tomas, did that ever happen, or did it get punted?

We have pam_tally2 module which solves the other problems but not this
one. However you can workaround it either by skipping the pam_tally(2)
module over with pam_succeed_if module (using service match for
screensaver). You can find some inspiration by running authconfig-gtk
and enabling smart card authentication. Or you can use 'onerr=succeed'
option of the pam_tally(2) module which means that pam_tally(2) will
return success if it cannot open the faillog (tallylog in case of

Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]