zirias@
Developer
Asking here before opening a PR, because I'm not sure whether I might be doing something wrong...
I'm trying to allow "self-authentication" against the local passwd database without requiring root privileges. The typical usecase for this is screen lockers, and the typical workaround for them is using some external suid-root helper to carry out the PAM authentication ... but the well-known
LinuxPAM includes a workaround for this specific usecase, a suid-root helper used by
For even more background:
So, now I'm working on a suid-root helper for
It seems to work as expected when I test it with some very simple test code:
But it fails in other situations. One of the first thing I tried was adding it to /etc/pam.d/system for testing, like this:
Now, this makes
Any ideas what could be wrong here?
Did these tests on 13.1-RC6 so far...
I'm trying to allow "self-authentication" against the local passwd database without requiring root privileges. The typical usecase for this is screen lockers, and the typical workaround for them is using some external suid-root helper to carry out the PAM authentication ... but the well-known
xscreensaver
refuses to support this (IMHO for good reasons).LinuxPAM includes a workaround for this specific usecase, a suid-root helper used by
pam_unix.so
itself. I suggested something similar for FreeBSD, but this was rejected. One suggestion for an alternative was to write a helper instead that's directly called by pam_exec.so
, which makes sense for a workaround as it's a pretty unobtrusive way to add this feature (and can be delivered as a port).For even more background:
- PR about upgrading the xscreensaver port: PR 254178
- Review (rejected) for suggested extension of
pam_unix
: https://reviews.freebsd.org/D34322
So, now I'm working on a suid-root helper for
pam_exec
. Running into strange issues, I created a version with a lot of logging here: https://github.com/Zirias/unix-selfauth-helper/tree/bughuntIt seems to work as expected when I test it with some very simple test code:
Code:
#include <sys/types.h>
#include <security/pam_appl.h>
#include <security/openpam.h>
#include <stdio.h>
int main(int argc, char **argv)
{
if (argc != 2)
{
fputs("usage: pamcheck user\n", stderr);
return 1;
}
pam_handle_t *pamh = 0;
struct pam_conv conv = { openpam_ttyconv, 0 };
int rc = pam_start("xscreensaver", argv[1], &conv, &pamh);
if (rc != PAM_SUCCESS)
{
fprintf(stderr, "%s\n", pam_strerror(pamh, rc));
return 1;
}
rc = pam_authenticate(pamh, PAM_DISALLOW_NULL_AUTHTOK);
const char *result = pam_strerror(pamh, rc);
pam_end(pamh, rc);
fprintf(stderr, "pam_authenticate: %s\n", result);
return 0;
}
But it fails in other situations. One of the first thing I tried was adding it to /etc/pam.d/system for testing, like this:
Code:
auth sufficient pam_exec.so return_prog_exit_status expose_authtok /usr/local/libexec/unix-selfauth-helper
auth required pam_unix.so use_first_pass nullok
Now, this makes
su
segfault, although from the log messages, the helper seems to run fine. If I remove the use_first_pass
option, I'm asked for a password a second time (as expected), and after that, I still get a segfault. If I remove the expose_authtok
option for my helper, the segfault goes away, but of course this renders the helper useless.Any ideas what could be wrong here?
Did these tests on 13.1-RC6 so far...