[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_unix opens /etc/shadow as regular user



On Fri, 27 Jan 2006 14:49:43 +0100, Thorsten Kukuk wrote:

> On Fri, Jan 27, Jonathan DeSena wrote:
> 
>> I have a simple patch that works for me (see below), but perhaps there
>> is a better way. I believe this issue should be resolved in the
>> mainline, especially as auditing in Linux becomes more common.
> 
> The fix is wrong, you don't need setuid root permissions to read
> /etc/shadow. You can solve the access problems with setgid or ACLs, too.
> So it is impossible to implement a correct check without trying to open
> the file.

After being exposed to some alternative configurations (thanks also to Les
for pointing out the web server example to me), I now see why my simple
solution does not work in general. For my limited case -- no one but root
can access the shadow file -- my patch is probably okay.

Unfortunately, the other solutions seem unsatisfying. Options seem to be:
1) install apps setuid root
2) open up shadow to a special group and add the authenticating
application's user to that group
3) do not use pam_unix
4) live with the entries in audit log (assume auditing is enabled)
5) add option to pam_unix to skip right to the helper binary

If you have a case such as the web server example, only 1-3 work.
Instead you could use a suid helper binary that allows any user to be
authenticated, which has been discussed before on this list (generally
thought to NOT be a good idea, but does not seem any worse to me than 1 or
2). This still leaves the audit log entries unless 5 is also used.

Perhaps this is best left to the distributions and individual sys admins
for now. Though, ideally a more general solution would be available.

Thanks again,
Jon


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]