[Pkg-shadow-devel] improvement of chfn/chsh manpages
Tomasz Kłoczko
kloczek at zie.pg.gda.pl
Mon Oct 3 21:49:16 UTC 2005
On Tue, 4 Oct 2005, Alexander Gattin wrote:
> Hi!
>
> > > Also I have a question -- how do you have chfn/chsh
> > > operating in PLD for ordinary users -- do they ask for
> > > users' password or not?
> >
> > Yes, ask user for password.
> >
> > /etc/pam.d/{chfn,chsh,chpasswd} from my system (where I'm using NIS):
> ...
> > It works as expected on PAM 0.77. I'm just check shadow 4.0.13 on Fedora
> > where is pam 0.80 and (strange) it work as you report.
> ...
> > Qustion is: why on freshen PAM it does not work as is expected (?) :>
>
> >From what I see in code, neither chsh nor chfn are
> really pam-ified. I.e. they include one pam header and
> then there's no calls to pam_start(),
> pam_authenticate() and so on. Maybe someone has started
> pam-ification of these utils and just left them in
> current state.
>
> The difference between PLD (ask) and RH (do not ask for
> password) is probably because one shadow was compiled
> --with-libpam while another --without-libpam or with
> "#undef USE_PAM" inside chsh.c/chfn.c
>
> I don't see any other place in chsh.c/chfn.c where a
> user can be prompted for password, except the
> passwd_check() code inside #ifndef USE_PAM/#endif
>
> P.S. But I don't know what the code for SELINUX does
> and not sure about USE_NIS code too.
USE_NIS it is older part of shadow.
Seems you are right about pam_start() :>
I'm not PAM expert so I'll be glad to see any help/advices on fix/finish
this.
kloczek
--
-----------------------------------------------------------
*Ludzie nie mają problemów, tylko sobie sami je stwarzają*
-----------------------------------------------------------
Tomasz Kłoczko, sys adm @zie.pg.gda.pl|*e-mail: kloczek at rudy.mif.pg.gda.pl*
More information about the Pkg-shadow-devel
mailing list