Hi Yutaka, pficabdyi-pg3up53xuedw.ml@delegate.org wrote: > PAM authentication not for the owner user of DeleGate process Who is the owner of the DG process ? I thought it is "nobody" by default... I am "root", run DG and do a "ps" and I see that the owner of the DG process is "nobody". But even if I set a password for "nobody" and let "nobody" be the admin like this ... user root # /usr/local/sbin/delegated -P8080 SERVER=http MOUNT="/-/admin/* = AUTHORIZER=-pam" AUTH="admin:*:nobody" -f <DeleGate/9.0.5-pre1> [18765] -P8080 READY DGROOT=/var/spool/delegate-nobody ADMIN=root@localhost AIST-Product-ID: 2000-ETL-198715-01, H14PRO-049, H15PRO-165 Copyright (c) 1994-2000 Yutaka Sato and ETL,AIST,MITI Copyright (c) 2001-2005 National Institute of Advanced Industrial Science and Technology (AIST) -delegated[18765]- WARNING! ADMIN="your_mail_address" should be specified. -delegated[18765]- INFO: using ADMIN=root@localhost given at compile time. ERROR: gid=65534 egid=0 ERROR: gid=65534 egid=0 user root # ls -ld /var/spool/delegate-nobody/subin/ drwxr-xr-x 2 root root 144 Aug 16 03:38 /var/spool/delegate-nobody/subin/ user root # ls -l /var/spool/delegate-nobody/subin/ total 248 -r-sr-s--- 1 root root 103323 Aug 16 14:32 dgbind -r-sr-s--- 1 root root 8765 Aug 16 14:32 dgchroot -r-sr-s--- 1 root root 8335 Aug 16 14:32 dgcpnod -r-sr-s--- 1 root root 120016 Aug 16 14:32 dgpam (I installed subin with make install from /usr/local/src/delegate9.0.5-pre1/subin/ and "make install") ... I am not be able to log into http://mydgmachine:8080/-/admin/ with nobody:<nobody-password> To me it looks like that "nobody" has a problem executing dgpam... su to nobody (with a valid shell) and user nobody $ /var/spool/delegate-nobody/subin/dgpam -su: /var/spool/delegate-nobody/subin/dgpam: Permission denied So I did user root # chmod o+rx /var/spool/delegate-nobody/subin/dgpam user root # ls -l /var/spool/delegate-nobody/subin/dgpam -r-sr-sr-x 1 root root 118247 Aug 16 03:36 /var/spool/delegate-nobody/subin/dgpam user root # su - nobody user nobody $ /var/spool/delegate-nobody/subin/dgpam ERROR: gid=65534 egid=0 And this looks very much like the error I got when I tried to authenticate as "nobody".... Is there a problem with dgpam, at least in my gentoo-setup ? > requires > to be executed in super user ownership. So one of followings will > solve the problem: > > - run the DeleGate with OWNER=dgadmin user root # useradd -u 8080 -c "DeleGate Admin" -m dgadmin user root # passwd dgadmin New UNIX password: BAD PASSWORD: it is based on a dictionary word Retype new UNIX password: passwd: password updated successfully user root # /usr/local/sbin/delegated -P8080 SERVER=http MOUNT="/-/admin/* = AUTHORIZER=-pam" AUTH="admin:*:nobody" OWNER=dgadmin -f <DeleGate/9.0.5-pre1> [18798] -P8080 READY DGROOT=/var/spool/delegate-nobody [cut] user root # cp -prv /var/spool/delegate-nobody/subin /home/dgadmin/delegate/ `/var/spool/delegate-nobody/subin' -> `/home/dgadmin/delegate/subin' `/var/spool/delegate-nobody/subin/dgcpnod' -> `/home/dgadmin/delegate/subin/dgcpnod' `/var/spool/delegate-nobody/subin/dgpam' -> `/home/dgadmin/delegate/subin/dgpam' `/var/spool/delegate-nobody/subin/dgbind' -> `/home/dgadmin/delegate/subin/dgbind' `/var/spool/delegate-nobody/subin/dgchroot' -> `/home/dgadmin/delegate/subin/dgchroot' user root # /usr/local/sbin/delegated -P8080 SERVER=http MOUNT="/-/admin/* = AUTHORIZER=-pam" AUTH="admin:*:nobody" OWNER=dgadmin -f <DeleGate/9.0.5-pre1> [18820] -P8080 READY DGROOT=/home/dgadmin/delegate ADMIN=root@localhost AIST-Product-ID: 2000-ETL-198715-01, H14PRO-049, H15PRO-165 Copyright (c) 1994-2000 Yutaka Sato and ETL,AIST,MITI Copyright (c) 2001-2005 National Institute of Advanced Industrial Science and Technology (AIST) -delegated[18820]- WARNING! ADMIN="your_mail_address" should be specified. -delegated[18820]- INFO: using ADMIN=root@localhost given at compile time. ERROR: gid=100 egid=0 Again I am not able to authenticate :-( > - run the DeleGate with OWNER=YourOwn and use YourOwn instead of "dgadmin" user root # /usr/local/sbin/delegated -P8080 SERVER=http MOUNT="/-/admin/* = AUTHORIZER=-pam" AUTH="admin:*:myself" OWNER=myself -f <DeleGate/9.0.5-pre1> [18837] -P8080 READY DGROOT=/home/myself/delegate [cut] user root # cp -prv /var/spool/delegate-nobody/subin/ /home/bart/delegate/ [cut] user root # /usr/local/sbin/delegated -P8080 SERVER=http MOUNT="/-/admin/* = AUTHORIZER=-pam" AUTH="admin:*:myself" OWNER=myself -f <DeleGate/9.0.5-pre1> [18859] -P8080 READY DGROOT=/home/bart/delegate ADMIN=root@localhost AIST-Product-ID: 2000-ETL-198715-01, H14PRO-049, H15PRO-165 Copyright (c) 1994-2000 Yutaka Sato and ETL,AIST,MITI Copyright (c) 2001-2005 National Institute of Advanced Industrial Science and Technology (AIST) -delegated[18859]- WARNING! ADMIN="your_mail_address" should be specified. -delegated[18859]- INFO: using ADMIN=root@localhost given at compile time. ERROR: gid=100 egid=0 ERROR: gid=100 egid=0 ... not able to authenticate. Now I switched to the user himself: user myself $ /usr/local/sbin/delegated -P8080 SERVER=http MOUNT="/-/admin/* = AUTHORIZER=-pam" AUTH="admin:*:myself" OWNER=myself -f <DeleGate/9.0.5-pre1> [18870] -P8080 READY DGROOT=/home/myself/delegate ADMIN=root@localhost AIST-Product-ID: 2000-ETL-198715-01, H14PRO-049, H15PRO-165 Copyright (c) 1994-2000 Yutaka Sato and ETL,AIST,MITI Copyright (c) 2001-2005 National Institute of Advanced Industrial Science and Technology (AIST) -delegated[18870]- WARNING! ADMIN="your_mail_address" should be specified. -delegated[18870]- INFO: using ADMIN=root@localhost given at compile time. Now I saw no error message, nevertheless I was not able to authenticate :-( > - install external dgpam with setuid flag on and owned by root user, > doing "make install" in ./subin (recommended) ./subin is available for every user now, see above.... > - run the DeleGate with OWNER=root (not recommended) user root # /usr/local/sbin/delegated -P8080 SERVER=http MOUNT="/-/admin/* = AUTHORIZER=-pam" AUTH="admin:*:bart" OWNER=root -f <DeleGate/9.0.5-pre1> [18893] -P8080 READY DGROOT=/var/spool/delegate-root [cut] root user # cp -prv /var/spool/delegate-nobody/subin/ /var/spool/delegate-root/ [cut] user root # /usr/local/sbin/delegated -P8080 SERVER=http MOUNT="/-/admin/* = AUTHORIZER=-pam" AUTH="admin:*:myself" OWNER=root -f <DeleGate/9.0.5-pre1> [18896] -P8080 READY DGROOT=/var/spool/delegate-root ADMIN=root@localhost AIST-Product-ID: 2000-ETL-198715-01, H14PRO-049, H15PRO-165 Copyright (c) 1994-2000 Yutaka Sato and ETL,AIST,MITI Copyright (c) 2001-2005 National Institute of Advanced Industrial Science and Technology (AIST) No error message, but also not able to log in ;-((( I remember that OWNER=root worked for the 9.0.4-version, and was the only way for me to authenticate the admin with PAM. > I myself never execute DeleGate under root ownership. With subin/dgpam > and others installed, DeleGate can do PAM, chroot() and bind() which > requires privilege as normal user. For example, PAM authentication works > with subin/dgpam as follows: > > 08/13 06:03:09.81 [13097] 1+0: [0.00,105582][AUTH cache-EXPIRED: 105613 > 7] /home/me/delegate/adm/authorizer/passwd.-.pam/a90f8549157c6e1c874463fb66133b30-cache > 08/13 06:03:09.82 [13097] 1+0: ## dgpam = /home/me/delegate/subin/dgpam > ## pam_authenticate [passwd][root] = 0 > 08/13 06:03:10.04 [13097] 1+0: ## dgpam -a passwd root = HTTP/1.0 200^M > 08/13 06:03:10.04 [13097] 1+0: ## Auth/PAM = 0 <root:****@-passwd.-.pam> > 08/13 06:03:10.04 [13097] 1+0: ##[doAUTH] set ClientAuth [root@-pam] Great, but what was the commandline and did you start it as a "normal user" ? How to get this going in a RC-script ? Best regards, Armin -- Armin Wies p44fqbdyi-pg3up53xuedw.ml@delegate.org ______________________________________________________________ Verschicken Sie romantische, coole und witzige Bilder per SMS! Jetzt bei WEB.DE FreeMail: http://f.web.de/?mc=021193
V