Re: and unix_chkpw setgid - does it work for regular users?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Thu, Aug 02, 2012 at 05:36:55PM +0200, Wolfgang Draxinger wrote:
> I'm currently trying to configure user authentication on a webserver,
> that shall use the normal system user names and passwords. I'm using
> Nginx as webserver, together with the auth_pam module, as packages by
> Debian wheezy.

> I expected that since unix_chkpw is set setgid shadow I could use
> for the webserver service just as is. However it turned
> out, that the user for the webserver process must be in the group
> "shadow" for authentication to work. If the webserver can't read shadow
> it doesn't work.

> I was under the impression the idea of unix_chkpw was to have process
> separation and by having a thoroughly audited helper program, that can
> be setgid safely so that a regular user can perform tests.

It's so that a regular user can *self* authenticate.  Allowing users to call
this setgid helper directly for other accounts would let them use it for
brute forcing of passwords.  So no, what you're asking for is disallowed by

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                          
slangasek@xxxxxxxxxx                                     vorlon@xxxxxxxxxx

Attachment: signature.asc
Description: Digital signature

Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux