sajidk has asked for the wisdom of the Perl Monks concerning the following question:

I am facing some small issue when trying to change the password on Linux box using Authen PAM with the example given the FAQ section "Can I change Password non interactivity" (http://search.cpan.org/~nikip/Authen-PAM-0.16/PAM/FAQ.pod#2._Can_I_change_a_password_non_interactively%3F) I am getting the error "Authentication token manipulation error".

When I change the password with "passwd" command for non root user, It asks 1.Current password 2.New password 3.Retype new password.
Can you please let me know what I might be doing wrong ?
Any help will be highly appreciated
Thanks,
Sajid
  • Comment on Authentication token manipulation error in Authen-PAM

Replies are listed 'Best First'.
Re: Authentication token manipulation error in Authen-PAM (setuid)
by shmem (Chancellor) on Jan 19, 2007 at 15:05 UTC
    Reading your post a second time: does for non root user also mean as non root user?

    The example code will not work if it is executed by a non-root user, since a non-root user doesn't have the permissions to manipulate authentication tokens. That's why the UNIX passwd program is setuid root.

    If you want the script to succeed as a non-root user, you have make it somehow setuid. Perl won't execute scripts with the setuid bit set, so you have to wrap it into a small C program (e.g. /usr/local/scripts/pam.c). First rename your script: 

    mv /usr/local/scripts/pam.pl /usr/local/scripts/.pam.pl
chmod a-w /usr/local/scripts/.pam.pl

    [download]

    Write this wrapper 

    main(argc,argv)
int argc;
char **argv;
{
    execv("/usr/local/scripts/.pam.pl",argv);
}

    [download]

    as /usr/local/scripts/pam.c, compile it 

    cc -o /usr/local/bin/pam /usr/local/scripts/pam.c

    [download]

    and make the resulting program setuid: 

    chown root /usr/local/bin/pam
chmod a-w /usr/local/bin/pam 
chmod u+s /usr/local/bin/pam

    [download]

    Now the setuid C-compiled binary /usr/local/bin/pam will invoke perl to run /usr/local/scripts/.pam.pl after having changed the UID to 0 - so the PAM library can e.g. read and write /etc/shadow.

    And, while I'm at it, please learn how to link properly. Please fix the link in your original post accordingly.

    --shmem 

    _($_=" "x(1<<5)."?\n".q·/)Oo.  G°\        /
                              /\_¯/(q    /
----------------------------  \__(m.====·.(_("always off the crowd"))."·
");sub _{s./.($e="'Itrs `mnsgdq Gdbj O`qkdq")=~y/"-y/#-z/;$e.e && print}
[reply]
[d/l]
[select]
    A reply falls below the community's threshold of quality. You may see it by logging in.
Re: Authentication token manipulation error in Authen-PAM
by shmem (Chancellor) on Jan 19, 2007 at 00:21 UTC
    A bit of code of yours would be handy to know what you are really doing, to reproduce the problem, and to hint you at solutions. See How (Not) To Ask A Question.

    As for PAM, I agree with Theo de Raadt's statement:

    I will try to be as nice as anyone has ever seen me be:
    PAM is completely and utterly broken and cannot be fixed.

    --shmem 

    _($_=" "x(1<<5)."?\n".q·/)Oo.  G°\        /
                              /\_¯/(q    /
----------------------------  \__(m.====·.(_("always off the crowd"))."·
");sub _{s./.($e="'Itrs `mnsgdq Gdbj O`qkdq")=~y/"-y/#-z/;$e.e && print}
[reply]
[reply]

Back to Seekers of Perl Wisdom