Lenny upgrade -- kcheckpass behavior change
I've just completed the "lenny" upgrade on my main
box at home, and ran into an interesting glitch.
The initial symptom was, I couldn't unlock the screen
from the screensaver. The logs complained about "user not found",
but id <user> showed it, PAM config looked OK, /etc/nsswitch.conf
was fine, and /etc/passwd and /etc/shadow hadn't changed.
Other log entries showed the complaint was coming from
kcheckpass, and indeed, interactive use showed that it was
failing, even with the correct password. Running "strace"
on this showed it was getting "permission denied" trying to
read /etc/shadow.
On this system, I had set /etc/shadow to be permission 400,
as recommended in a system hardening guide (don't recall now
which one), and then more or less forgotten about it.
Evidently the behavior of kcheckpass has changed, it must
run as group "shadow" now, and not as user root. Opening up
permissions on /etc/shadow (I changed it to 440) fixed it.
-- A.
--
Andrew Reid / reidac@bellatlantic.net
Reply to: