[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: further modifications to mod_auth_pam.c



Chris Dent writes:
>  The web server has to run as root when doing pam_auth (this _is_ true
>  isn't it?)

No.  See vlock and xlock as examples of programs that have no need to
run as root.  In particular, pam_pwdb has a way to verify even shadow
passwords without the program being setuid.

Having thought about this, I don't think it's a problem for Apache --
security is already predicated on the .htaccess file.  I'm thinking
more generally; I think that there another application that was setuid
and allowed any user to provide an arbitrary service name, but I don't
recollect which one, and it may well have been fixed already.

michaelkjohnson

"Ever wonder why the SAME PEOPLE make up ALL the conspiracy theories?"




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []