That is about the nicest email reply to a question I have seen in a long time. David, your mama would be happy. md dplist@free.fr wrote: > > On 16 Aug 2002 17:13:51 +0200 > Nils Olav Selaasdal <noselasd@frisurf.no> wrote: > > > On Sun, 2002-08-11 at 15:06, James West wrote: > > > > > > I'm having some trouble with getting certain services thar don't > > > run as root, using pam. > > > > > > Namely postgresql runs as user postgres, but I was expirimenting > > > with various versions of pam_unix and had no luck getting it to > > > auth, until I messed with permissions of /etc/shadow. > > > > > > Now, I'm sure this is a really old and obvious problem. (and if the > > > truth be known I can probably work without it) > > > > > > But, is there a way around it? > > > > We usually make a new group, shadowreaders, and: > > chgrp shadowreaders /etc/shadow > > chmod g+r /etc/shadow > > > > and add the users to that group. > > > > I wouldn't do that on my systems. > > Unless you want to go back to the time when /etc/shadow did not exist > and Crack (the program) was highly popular, you'd better not loosen > /etc/shadow's permissions, this is were encrypted passwords are kept. > > Maybe using some authentication server or a carefully written setuid > binary (-ie- only one program to check, instead of a whole group > potentially running any odd binary on your system), would do it for > your problem ? > > I hope what I've just written is not stupid and I wish you a nice day. > > -- > David > > _______________________________________________ > > Pam-list@redhat.com > https://listman.redhat.com/mailman/listinfo/pam-list
