On Mon, 2002-02-11 at 10:19, Tim Dijkstra wrote: > Hi, > > I'm trying to get some app to use PAM to authenticate against /etc/shadow. > -rw-r----- 1 root shadow 1184 Jan 31 02:06 /etc/shadow > Shouldn't it be enough for the app to > be a member of the 'shadow' group for this to work? Or are there any > other restrictions. > (Works fine when I make /etc/shadow world-readable, but don't want that > of course) The app would have to be running with its effective gid set to shadow. Simply doing a chgrp shadow /bin/myapp is not enough. You would also need to chmod g+s /bin/myapp. Be careful, however. If /bin/myapp allows people to read arbitrary files, people will be able to read /etc/shadow (which is really close to making it world-readable). Mike
