On 16 Aug 2002 17:13:51 +0200 Nils Olav Selaasdal <noselasd@frisurf.no> wrote: > On Sun, 2002-08-11 at 15:06, James West wrote: > > > > I'm having some trouble with getting certain services thar don't > > run as root, using pam. > > > > Namely postgresql runs as user postgres, but I was expirimenting > > with various versions of pam_unix and had no luck getting it to > > auth, until I messed with permissions of /etc/shadow. > > > > Now, I'm sure this is a really old and obvious problem. (and if the > > truth be known I can probably work without it) > > > > But, is there a way around it? > > We usually make a new group, shadowreaders, and: > chgrp shadowreaders /etc/shadow > chmod g+r /etc/shadow > > and add the users to that group. > I wouldn't do that on my systems. Unless you want to go back to the time when /etc/shadow did not exist and Crack (the program) was highly popular, you'd better not loosen /etc/shadow's permissions, this is were encrypted passwords are kept. Maybe using some authentication server or a carefully written setuid binary (-ie- only one program to check, instead of a whole group potentially running any odd binary on your system), would do it for your problem ? I hope what I've just written is not stupid and I wish you a nice day. -- David
