[23221] in Athena Bugs
Re: linux 9.2.13: machtype -d
daemon@ATHENA.MIT.EDU (Garry Zacheiss)
Fri Jul 25 07:09:26 2003
Date: Fri, 25 Jul 2003 07:09:23 -0400 (EDT)
Message-Id: <200307251109.h6PB9NCH022831@brad-majors.mit.edu>
From: Garry Zacheiss <zacheiss@MIT.EDU>
To: Jonathon Weiss <jweiss@MIT.EDU>
CC: bugs@MIT.EDU
In-reply-to: "[23213] in Athena Bugs"
> machtype -d returns no output unless run as root. This is apparently
> because X -showconfig catches some sort of permission failure and
> spews an error instead of displaying verison info. Strangely, it
> seems to lose less if run under strace.
It succeeds when run under strace because running a setuid process
under strace strips it of its setuid privileges. This causes
CheckUserAuthentication() to not call into libpam. It only makes PAM
calls if getuid() != geteuid(); see CheckUserAuthentication() in
xc/programs/Xserver/os/utils.c.
/etc/pam.d/xserver looks like this on Redhat 9 (and Redhat 7.x, for
that matter):
#%PAM-1.0
auth sufficient /lib/security/pam_rootok.so
auth required /lib/security/pam_console.so
account required /lib/security/pam_permit.so
which is trying to restrict access to the X server to people logged in
on the console, except pam_console.so will fail in our environment
because it seems to just look for the presence of /var/run/console/$USER
to decide if the user is logged in on the console, which of course isn't
created by xlogin/dm.
We can fix this by replacing /etc/pam.d/xserver with something that
looks like this:
#%PAM-1.0
auth required /lib/security/pam_permit.so
account required /lib/security/pam_permit.so
which will always succeed for any user. There may be security
implications to doing this, but I can't think of any.
Alternately, we can fix only machtype by making it run X as
"strace -o /dev/null X -showconfig". That's an enormous hack and we
probably don't want to do it, but it entertains me enough that I thought
I'd mention it.
Garry
