FC5 - pam_succeed_if.so uid >= 500 quiet --> Why??

spence · #1 10th May 2006, 02:45 AM

I am currently using LDAP for authentication and have found that I am unable to login to Gnome Desktop or switch user to certain system administrator accounts.
e.g.
su - sysxxx
Password: <enter correct password>
su: incorrect password

After a lot of investiagion I discovered that the problem is the accounts had a UID in the range of 200 to 220. These logins are also used on Solaris and are outside the Solaris reserved UID range. They work fine on Solaris and on Fedora Core 4 - just no good on Fedora Core 5.

I eventually tracked it down to the default settings of Fedora Core 5.

A new install of Fedora Core 4 does not let users with a UID of less than 100 login.
A new install of Fedora Core 5 does not let users with a UID of less than 500 login.

This is set in the files:
/etc/pam.d/system-auth
/etc/pam.d/system-auth-ac

e.g. from system-auth:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

I was just wondering what the motivation was for increasing the allowed UID range to above 500?
I don't see any issues changing it back to 100... in fact an upgrade insall from FC4 to FC5 preserves the 100 value.

Jman · #2 11th May 2006, 05:34 AM

Regular Fedora users' ids start at 500, I presume the pam policy is so that system accounts are denied login.

spence · #3 11th May 2006, 05:51 AM

Quote:

Originally Posted by Jman

Regular Fedora users' ids start at 500, I presume the pam policy is so that system accounts are denied login.

Hmm well not a very good policy if you are using the same LDAP login across multiple systems. Traditionally <100 has been considered reserved on unix systems like Solaris.

In a mixed environemnt its most annoying to suddenly switch your behaviour.

ghostofmorgan · #4 1st April 2011, 01:32 AM

I m not to efficient with Fedora yet , but I m trying to update clamav and I keep
getting a message that says "I need a writeable UID 500 to get this update . Where do I get this
UID 500 so I can update clamscan ? Aloha

***bob*** · #5 1st April 2011, 01:49 AM

Ghost, you've tagged a 6-yr. old thread. I'm going to close this one. Why not start your own? As info, you're under the sub-Forum for "End Of Life" versions. If you're running a F13 or F14, you should be posting in another sub-forum.

Just select the right one, then look for the "new topic" button on the top left and start a fresh post!