[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_unix opens /etc/shadow as regular user



On Fri, 27 Jan 2006 14:49:43 +0100, Thorsten Kukuk wrote:

> On Fri, Jan 27, Jonathan DeSena wrote:
> 
>> I have a simple patch that works for me (see below), but perhaps there
>> is a better way. I believe this issue should be resolved in the
>> mainline, especially as auditing in Linux becomes more common.
> 
> The fix is wrong, you don't need setuid root permissions to read
> /etc/shadow. You can solve the access problems with setgid or ACLs, too.
> So it is impossible to implement a correct check without trying to open
> the file.
> 
I am not an expert in this area, so please elaborate on how to "solve the
access problems with setgid or ACLs." Also, explain why the man page
suggests you need to be super-user to use the shadow routines -- so how do
you read the shadow file without root permissions?

For processes that do not have an effective root uid (e.g. xscreensaver
installed without setuid root), the password lookup via the shadow
routines WILL fail. So why bother calling them and causing suspicious log
entries? The fix I added was the simplest I could come up with. An
alternative is to just run the helper binary in the first place.

Thanks,
Jon


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]