Issues with calling an external executable from PAM

From: Slav Inger (slavinger_at_yahoo.com)
Date: 02/24/04 

Date: 24 Feb 2004 08:20:10 -0800

Hello,

I'm using the fork()/execl() combination to run an external executable
from within an 'auth' Linux PAM module. Yes I'm aware of the security
concerns of running an external apps, but I must call an external
program during the auth stage. I'm also checking the executable's
exit code using WEXITSTATUS() macro. [If anyone knows of a better
approach, please let me know] Now, here's the problem: it behaves
inconsistently. On one machine execl() succeeds most of the time, on
the other machine it fails every time. The executable is located in
the same place on both machines, with identical permissions. Here's
the situation in more detail:

PAM setup:
auth required custom_module.so <-- module calling external app
auth sufficient pam_krb5.so <params>
auth required pam_unix2.so <params>
... ... ...

Machine 1: module is invoked via console login (/etc/pam.d/login),
execl() fails every time

Machine 2: module is invoked from xdm (/etc/pam.d/xdm), execl()
succeeds, UNLESS the user fails his Kerberos password. At this point
something happens that makes execl() call fail on subsequent logins.
I must restart the login manager to get the functionality back, again
until one of the users fails his Kerberos password.

So, why the inconsistency between machines? And in the latter case,
what is it that causes this behavior?

Thanks in advance.

Relevant Pages