Question on PAM system-auth - Unix

This is a discussion on Question on PAM system-auth - Unix ; The /etc/pam.d/system-auth file on a Fedora 7 Linux system looks like this: auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Question on PAM system-auth

  1. Question on PAM system-auth

    The /etc/pam.d/system-auth file on a Fedora 7 Linux system
    looks like this:

    auth required pam_env.so
    auth sufficient pam_unix.so nullok try_first_pass
    auth requisite pam_succeed_if.so uid >= 500 quiet
    auth required pam_deny.so

    account required pam_unix.so
    account sufficient pam_localuser.so
    account sufficient pam_succeed_if.so uid < 500 quiet
    account required pam_permit.so

    ....

    (remaining lines omitted.)

    My question is on the "account" lines. If I understand
    this correctly the first line requirs a valid, unexpired
    user account. The last three lines don't seem to do anything!
    That is, if the first line succeeds the last three can never
    have no effect. I'm thinking this is a mistake and
    that Red Hat meant to have this policy:

    ....
    account sufficient pam_localuser.so
    account sufficient pam_succeed_if.so uid < 500 quiet
    account required pam_unix.so
    ....

    Can anyone enlighten me about this?

    -Wayne

  2. Re: Question on PAM system-auth

    Begin <48401627$0$7714$4c368faf@roadrunner.com>
    On Fri, 30 May 2008 10:59:58 -0400, Wayne wrote:
    > account required pam_unix.so
    > account sufficient pam_localuser.so
    > account sufficient pam_succeed_if.so uid < 500 quiet
    > account required pam_permit.so

    [snip]
    > If I understand this correctly the first line requirs a valid,
    > unexpired user account. The last three lines don't seem to do
    > anything! That is, if the first line succeeds the last three can never
    > have no effect.


    PAM always confuses me, but this I probably can give a correct answer to.
    Looking at pam.conf(5), it says:

    required If this module succeeds, the result of the chain will be suc-
    cess unless a later module fails. If it fails, the rest of
    the chain still runs, but the final result will be failure
    regardless of the success of later modules.

    So, regardless of success or failure of the first line, further rules
    are run. If the first rule fails, the entire rule will fail regardless
    of outcome of later rules, but provided the first one succeeded, you
    still need an absence of failure in later modules for an overall
    success.

    Contrast this with

    sufficient If this module succeeds, the chain is broken and the result
    is success. If it fails, the rest of the chain still runs,
    but the final result will be failure unless a later module
    succeeds.

    Here, success on this module means no further checking. Failure means
    further checks are done to see if later modules won't succeed.

    Reading the above lines again, I'd instead say that the middle two don't
    contribute much because the last line unconditionally succeeds. Failure
    in the first line, however, means an overall failure regardless of
    outcome on later lines. As I said, PAM confuses me, so ICBW.


    --
    j p d (at) d s b (dot) t u d e l f t (dot) n l .
    This message was originally posted on Usenet in plain text.
    Any other representation, additions, or changes do not have my
    consent and may be a violation of international copyright law.

+ Reply to Thread