Re: pam_tally and unlocking user accounts
- From: Tomas Mraz <tmraz redhat com>
- To: Ray Strode <halfline gmail com>
- Cc: Screensaver-list gnome org
- Subject: Re: pam_tally and unlocking user accounts
- Date: Mon, 09 Jul 2007 10:04:57 -0000
On Sun, 2007-07-08 at 01:06 -0400, Ray Strode wrote:
> Hi,
>
> > sorry if this has been asked before, I have query with regard to
> > pam_tally and gnome-screensaver. if pam_tally is set in system-auth on
> > fedora, gnome screensaver is not able to unlock the screen.
> >
> > Reason being, pam_tally needs root privileges to write to
> > "/var/log/faillog" and gnome-screensaver-dialog runs as a regular user.
>
> This is a bug in pam_tally, it should use a setuid helper binary to
> write to /var/log/failog (and the binary should look at the real uid
> it's running as). This is analogous to pam_unix which uses
> unix_chkpasswd to look at the shadow file and verify the logged in
> user's password (and no-one elses).
>
> There is a bug about it *somewhere* in red hat bugzilla, but I can't
> seem to find it. IIRC, Tomas was planning on rewriting the module
> from scratch to solve this issue and a few other problems.
>
> Tomas, did that ever happen, or did it get punted?
We have pam_tally2 module which solves the other problems but not this
one. However you can workaround it either by skipping the pam_tally(2)
module over with pam_succeed_if module (using service match for
screensaver). You can find some inspiration by running authconfig-gtk
and enabling smart card authentication. Or you can use 'onerr=succeed'
option of the pam_tally(2) module which means that pam_tally(2) will
return success if it cannot open the faillog (tallylog in case of
pam_tally2).
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]