On 6/23/02 12:07 PM -0500, Shane Beasley wrote: > The solution that I envision seems eerily similar to pam_pwdb, which uses > a tiny, provably secure setuid helper binary that does the authentication. > The trouble is, it needs to be able to authenticate *any* user, not just > the user doing the authentication. Basically, instead of the helper binary > calling getuid(), it would receive the user name from the PAM module. It > sounds simple enough, which is why I was hoping that someone had done this > already. :) This would be the optimum solution. I looked into hacking it to do that at one point and never did get it finished. The solution suggested in docs for the mod_auth_pam module for Apache is to make /etc/shadow be group-readable to apache. This isn't all that secure either, but it's not quite as bad as making it world-readable, and it works until someone comes up with a setuid helper binary that could authenticate anyone. -- Dave Miller justdave@syndicomm.com + justdave@justdave.net Lead Software Engineer/System Administrator, Syndicomm Online http://www.syndicomm.com/ http://www.justdave.net/
