pam_unix opens /etc/shadow as regular user
Jonathan DeSena
jonathan.desena at jhuapl.edu
Fri Jan 27 14:43:55 UTC 2006
On Fri, 27 Jan 2006 14:49:43 +0100, Thorsten Kukuk wrote:
> On Fri, Jan 27, Jonathan DeSena wrote:
>
>> I have a simple patch that works for me (see below), but perhaps there
>> is a better way. I believe this issue should be resolved in the
>> mainline, especially as auditing in Linux becomes more common.
>
> The fix is wrong, you don't need setuid root permissions to read
> /etc/shadow. You can solve the access problems with setgid or ACLs, too.
> So it is impossible to implement a correct check without trying to open
> the file.
>
I am not an expert in this area, so please elaborate on how to "solve the
access problems with setgid or ACLs." Also, explain why the man page
suggests you need to be super-user to use the shadow routines -- so how do
you read the shadow file without root permissions?
For processes that do not have an effective root uid (e.g. xscreensaver
installed without setuid root), the password lookup via the shadow
routines WILL fail. So why bother calling them and causing suspicious log
entries? The fix I added was the simplest I could come up with. An
alternative is to just run the helper binary in the first place.
Thanks,
Jon
More information about the Pam-list
mailing list