Thanks guys. That does make sense now. I'll think I'll do what you suggested and modify unix_chkpwd. I guess the thing that stumped me (and caused untold hours of pain) was that the default PAM libs that shipped with the Cobalt RAQ3 must have already allowed user/group 'http' to verify any login/password against /etc/shadow, which I automatically assumed to be the norm. Ohh well, you live and learn eh. Cheers... Roger ----- Original Message ----- From: "Ben Collins" <bcollins@debian.org> To: <pam-list@redhat.com> Sent: Tuesday, February 20, 2001 2:57 PM Subject: Re: /etc/shadow problem > > > > This question comes up often enough that I've considered writing a number of > > unix_chkpwd variants that could be shipped with Linux-PAM (but not enabled by > > default!). I'm still not sure if this is a good idea, or if it's just inviting > > trouble when admins start using that functionality without examining the > > security implications... > > > > You could probably modify unix_chkpwd to check a config file, or > hardcoded group for "trusted" users that can verify any uid, then make > it suid root. Would require some special care, but it might prove > useful. Then you can just make the web server's uid/gid part of the > trusted group, so it can verify from pam_unix.so. > > Ben > > -- > -----------=======-=-======-=========-----------=====------------=-=----- - > / Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \ > ` bcollins@debian.org -- bcollins@openldap.org -- bcollins@linux.com ' > `---=========------=======-------------=-=-----=-===-======-------=--=---' > > > > _______________________________________________ > > Pam-list@redhat.com > https://listman.redhat.com/mailman/listinfo/pam-list
