Re: pam_unix opens /etc/shadow as regular user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Jan 27, Jonathan DeSena wrote:

> On Fri, 27 Jan 2006 14:49:43 +0100, Thorsten Kukuk wrote:
> 
> > On Fri, Jan 27, Jonathan DeSena wrote:
> > 
> >> I have a simple patch that works for me (see below), but perhaps there
> >> is a better way. I believe this issue should be resolved in the
> >> mainline, especially as auditing in Linux becomes more common.
> > 
> > The fix is wrong, you don't need setuid root permissions to read
> > /etc/shadow. You can solve the access problems with setgid or ACLs, too.
> > So it is impossible to implement a correct check without trying to open
> > the file.
> > 
> I am not an expert in this area, so please elaborate on how to "solve the
> access problems with setgid or ACLs." Also, explain why the man page
> suggests you need to be super-user to use the shadow routines -- so how do
> you read the shadow file without root permissions?

You don't need super-user rights, you only need the correct rights.
And this depends on which mode and owner/group /etc/shadow has. With
super-user rights you can of course always read it.
 
> For processes that do not have an effective root uid (e.g. xscreensaver
> installed without setuid root), the password lookup via the shadow
> routines WILL fail.

Depends on the distribution and the configuration. On SuSE Linux it
will not fail, all screensavers have the rights to read /etc/shadow,
but not to modify it.

   Thorsten

-- 
Thorsten Kukuk         http://www.suse.de/~kukuk/      kukuk@xxxxxxx
SUSE LINUX Products GmbH       Maxfeldstr. 5       D-90409 Nuernberg
--------------------------------------------------------------------    
Key fingerprint = A368 676B 5E1B 3E46 CFCE  2D97 F8FD 4E23 56C6 FB4B

_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux