On Fri, Jan 27, Jonathan DeSena wrote: > On Fri, 27 Jan 2006 14:49:43 +0100, Thorsten Kukuk wrote: > > > On Fri, Jan 27, Jonathan DeSena wrote: > > > >> I have a simple patch that works for me (see below), but perhaps there > >> is a better way. I believe this issue should be resolved in the > >> mainline, especially as auditing in Linux becomes more common. > > > > The fix is wrong, you don't need setuid root permissions to read > > /etc/shadow. You can solve the access problems with setgid or ACLs, too. > > So it is impossible to implement a correct check without trying to open > > the file. > > > I am not an expert in this area, so please elaborate on how to "solve the > access problems with setgid or ACLs." Also, explain why the man page > suggests you need to be super-user to use the shadow routines -- so how do > you read the shadow file without root permissions? You don't need super-user rights, you only need the correct rights. And this depends on which mode and owner/group /etc/shadow has. With super-user rights you can of course always read it. > For processes that do not have an effective root uid (e.g. xscreensaver > installed without setuid root), the password lookup via the shadow > routines WILL fail. Depends on the distribution and the configuration. On SuSE Linux it will not fail, all screensavers have the rights to read /etc/shadow, but not to modify it. Thorsten -- Thorsten Kukuk http://www.suse.de/~kukuk/ kukuk@xxxxxxx SUSE LINUX Products GmbH Maxfeldstr. 5 D-90409 Nuernberg -------------------------------------------------------------------- Key fingerprint = A368 676B 5E1B 3E46 CFCE 2D97 F8FD 4E23 56C6 FB4B _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
