in reply to Authentication token manipulation error in Authen-PAM
The example code will not work if it is executed by a non-root user, since a non-root user doesn't have the permissions to manipulate authentication tokens. That's why the UNIX passwd program is setuid root.
If you want the script to succeed as a non-root user, you have make it somehow setuid. Perl won't execute scripts with the setuid bit set, so you have to wrap it into a small C program (e.g. /usr/local/scripts/pam.c). First rename your script:
mv /usr/local/scripts/pam.pl /usr/local/scripts/.pam.pl chmod a-w /usr/local/scripts/.pam.pl
Write this wrapper
main(argc,argv) int argc; char **argv; { execv("/usr/local/scripts/.pam.pl",argv); }
as /usr/local/scripts/pam.c, compile it
cc -o /usr/local/bin/pam /usr/local/scripts/pam.c
and make the resulting program setuid:
chown root /usr/local/bin/pam chmod a-w /usr/local/bin/pam chmod u+s /usr/local/bin/pam
Now the setuid C-compiled binary /usr/local/bin/pam will invoke perl to run /usr/local/scripts/.pam.pl after having changed the UID to 0 - so the PAM library can e.g. read and write /etc/shadow.
And, while I'm at it, please learn how to link properly. Please fix the link in your original post accordingly.
--shmem
_($_=" "x(1<<5)."?\n".q·/)Oo. G°\ /
/\_¯/(q /
---------------------------- \__(m.====·.(_("always off the crowd"))."·
");sub _{s./.($e="'Itrs `mnsgdq Gdbj O`qkdq")=~y/"-y/#-z/;$e.e && print}
|
|---|
| Replies are listed 'Best First'. | |
|---|---|
| A reply falls below the community's threshold of quality. You may see it by logging in. |