On Fri, 2006-01-27 at 10:30, Jonathan DeSena wrote: > On Fri, 27 Jan 2006 16:17:46 +0100, Thorsten Kukuk wrote: > > You don't need super-user rights, you only need the correct rights. And > > this depends on which mode and owner/group /etc/shadow has. With > > super-user rights you can of course always read it. > > Okay, now I understand what you meant. It is true that the > permissions shadow file COULD be anything, however, it is traditional > (I expected standard) that it be owned by root:root with permissions 0400. > If not, it loses the whole point of the shadow file -- hiding passwords > from regular users. Should not pam_unix EXPECT traditional permissions on > /etc/shadow, given that it is the "standard Unix authentication module"? The common exception is where you want web authentication to use pam and one of the methods you want to include is the system password file. In this case you have to give httpd read access, probably by making shadow group apache and group readable. If you are proposing a change that makes this unnecessary, then root:root might be reasonable. -- Les Mikesell lesmikesell@xxxxxxxxx _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
