I'm using SuSE Linux 9.2 with libnss-mysql. This works perfectly after some hand trimming. Now I've got one problem left. As soon as I lock my X11 screen with xscreensaver, I can't unlock it any more. This is only true for users provided via libnss-mysql. All /etc/passwd users work fine.
I investigated this problem and found out, that xscreensaver (and probably some things from PAM) use /sbin/unix2_chkpwd to check if the password is correct. This unix2_chkpwd must be suid root to access /etc/shadow.
Now SuSE did a trick and introduced the special group "shadow" which has read access to /etc/shadow. Thus the /sbin/unix2_chkpwd is sgid shadow instead of suid root.
Unfortunately libnss-mysql only relies on UID==0 to do a getspnam() query. Since the UID still is the normal user instead of "root", libnss-mysql doesn't attempt to query the password.
To avoid this problem I suggest to replace the check "UID==0" by a test like "access("/etc/shadow",R_OK)==0".
Bye
Hansi
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
By "hand trimming" do you mean you needed to make code changes to get things working right?
I thought I checked for read access on libnss-mysql-root.cfg and not UID=0 ... ? I'd need to check the code - but if that's the case, setting the perms on libnss-mysql-root.cfg should accomplish the same thing.
-=| Ben
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
"hand trimming" was changing some things in the Makefile. I don't remember exactly, but I think it was just some work in the Makefile or probably the configure script.
UID=0: I tried to set the permissions and owner for libnss-mysql-root.cfg exactly as they are for shadow but it didn't work.
Bye
Hansi
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'll make a point at checking this out - it seems like doing a "chgrp shadow /etc/libnss-mysql-root.cfg; chmod 640 /etc/libnss-mysql-root.cfg" should work, though ...
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi!
I'm using SuSE Linux 9.2 with libnss-mysql. This works perfectly after some hand trimming. Now I've got one problem left. As soon as I lock my X11 screen with xscreensaver, I can't unlock it any more. This is only true for users provided via libnss-mysql. All /etc/passwd users work fine.
I investigated this problem and found out, that xscreensaver (and probably some things from PAM) use /sbin/unix2_chkpwd to check if the password is correct. This unix2_chkpwd must be suid root to access /etc/shadow.
Now SuSE did a trick and introduced the special group "shadow" which has read access to /etc/shadow. Thus the /sbin/unix2_chkpwd is sgid shadow instead of suid root.
Unfortunately libnss-mysql only relies on UID==0 to do a getspnam() query. Since the UID still is the normal user instead of "root", libnss-mysql doesn't attempt to query the password.
To avoid this problem I suggest to replace the check "UID==0" by a test like "access("/etc/shadow",R_OK)==0".
Bye
Hansi
By "hand trimming" do you mean you needed to make code changes to get things working right?
I thought I checked for read access on libnss-mysql-root.cfg and not UID=0 ... ? I'd need to check the code - but if that's the case, setting the perms on libnss-mysql-root.cfg should accomplish the same thing.
-=| Ben
Hi again!
"hand trimming" was changing some things in the Makefile. I don't remember exactly, but I think it was just some work in the Makefile or probably the configure script.
UID=0: I tried to set the permissions and owner for libnss-mysql-root.cfg exactly as they are for shadow but it didn't work.
Bye
Hansi
I'll make a point at checking this out - it seems like doing a "chgrp shadow /etc/libnss-mysql-root.cfg; chmod 640 /etc/libnss-mysql-root.cfg" should work, though ...