On Wed, 22 May 2002, Thomas Glanzmann wrote:
> On Wed, 22 May 2002, Thorsten Kukuk wrote:
>
> > On Wed, May 22, Thomas Glanzmann wrote:
> >
> > > Hi out there,
> > > I have a NIS Server serving a Password Database with entries like that:
> > >
> > > sithglan:##sithglan:31401:30003:Thomas Glanzmann, CIP Admin:/home/cip/adm/sithglan:/local/login/bin/env-csh
> > >
> > > This NIS Server also serves a map named passwd.adjunct.byname to source ports < 1024.
> > >
> > > And I have a pam enabled Linux application named xlock. This xlock application
> > > is able to do the password authentication for a user but why? Caches Linux PAM
> > > allready sucessfully authenticated passwords? Or is there another mechanism?
> > >
> > > If I try the same thing under Solaris the PAM enabled xlock application needs an
> > > root sbit to proceed. Has somebody an idea, how I can get Solaris to the same
> > > thing linux does? So that I don't have to put the xlock application setuid root?
> >
> > You don't tell anything about your PAM configuration, but I think
> > you use a PAM module, which calls an external setuid root helper
> > binary. As far as I know, pam_pwdb and pam_unix.so are doing so.
> >
> > Thorsten
>
> Here is a list of my setuid binaries ...
>
> # only some programms are set uid root
> /bin/ping owner=root group=root mode=4755 action=fixall checksum=md5
> /bin/su owner=root group=root mode=4755 action=fixall checksum=md5
> /usr/bin/wall owner=root group=tty mode=4755 action=fixall checksum=md5
> /usr/bin/at owner=root group=root mode=4755 action=fixall checksum=md5
> /usr/bin/write owner=root group=tty mode=4755 action=fixall checksum=md5
> /usr/bin/traceroute owner=root group=root mode=4755 action=fixall checksum=md5
> /usr/sbin/sendmail owner=root group=mail mode=4755 action=fixall checksum=md5
> /usr/bin/crontab owner=root group=root mode=4755 action=fixall checksum=md5
> /usr/bin/ssh owner=root group=root mode=4755 action=fixall checksum=md5
>
> But there still a few setgid root programms, but I thought that a setuid root is
> needed to bind a port less then 1024.
>
> Do you know the name of the setuid root helper or where I can read about it?
>
faui05c:/var/cfengine/inputs# ls -al /sbin/unix_chkpwd
-rwxr-xr-x 1 root wheel 14508 Jan 21 21:25 /sbin/unix_chkpwd
but it isn't setuid root ... so how it works anyway?
FYI:
NAME
unix_chkpwd - check the password of the invoking user
SYNOPSIS
<not invoked manually>
DESCRIPTION
A helper binary for the pam_unix module, unix_chkpwd, is
provided to check the user's password when it is stored in
a read protected database, such as shadow'd passwords.
This binary is very simple and will only check the pass
word of the user invoking it. It is called transparently
on behalf of the user by the authenticating component of
the pam_unix module. In this way it is possible for appli
cations like xlock to work work without being setuid root.
USAGE
This program is not intended to be called directly by
users and will log to syslog if it is called imporperly
(i.e., by some one trying exploit it).
