On Fri, 27 Jan 2006 14:49:43 +0100, Thorsten Kukuk wrote: > On Fri, Jan 27, Jonathan DeSena wrote: > >> I have a simple patch that works for me (see below), but perhaps there >> is a better way. I believe this issue should be resolved in the >> mainline, especially as auditing in Linux becomes more common. > > The fix is wrong, you don't need setuid root permissions to read > /etc/shadow. You can solve the access problems with setgid or ACLs, too. > So it is impossible to implement a correct check without trying to open > the file. After being exposed to some alternative configurations (thanks also to Les for pointing out the web server example to me), I now see why my simple solution does not work in general. For my limited case -- no one but root can access the shadow file -- my patch is probably okay. Unfortunately, the other solutions seem unsatisfying. Options seem to be: 1) install apps setuid root 2) open up shadow to a special group and add the authenticating application's user to that group 3) do not use pam_unix 4) live with the entries in audit log (assume auditing is enabled) 5) add option to pam_unix to skip right to the helper binary If you have a case such as the web server example, only 1-3 work. Instead you could use a suid helper binary that allows any user to be authenticated, which has been discussed before on this list (generally thought to NOT be a good idea, but does not seem any worse to me than 1 or 2). This still leaves the audit log entries unless 5 is also used. Perhaps this is best left to the distributions and individual sys admins for now. Though, ideally a more general solution would be available. Thanks again, Jon _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
