[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Non-root services?



That is about the nicest email reply to a question
I have seen in a long time.

David, your mama would be happy.

md

dplist@free.fr wrote:
> 
> On 16 Aug 2002 17:13:51 +0200
> Nils Olav Selaasdal <noselasd@frisurf.no> wrote:
> 
> > On Sun, 2002-08-11 at 15:06, James West wrote:
> > >
> > > I'm having some trouble with getting certain services thar don't
> > > run as root, using pam.
> > >
> > > Namely postgresql runs as user postgres, but I was expirimenting
> > > with various versions of pam_unix and had no luck getting it to
> > > auth, until I messed with permissions of /etc/shadow.
> > >
> > > Now, I'm sure this is a really old and obvious problem. (and if the
> > > truth be known I can probably work without it)
> > >
> > > But, is there a way around it?
> >
> > We usually make a new group, shadowreaders, and:
> > chgrp shadowreaders /etc/shadow
> > chmod g+r /etc/shadow
> >
> > and add the users to that group.
> >
> 
> I wouldn't do that on my systems.
> 
> Unless you want to go back to the time when /etc/shadow did not exist
> and Crack (the program) was highly popular, you'd better not loosen
> /etc/shadow's permissions, this is were encrypted passwords are kept.
> 
> Maybe using some authentication server or a carefully written setuid
> binary (-ie- only one program to check, instead of a whole group
> potentially running any odd binary on your system), would do it for
> your problem ?
> 
> I hope what I've just written is not stupid and I wish you a nice day.
> 
> --
> David
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list@redhat.com
> https://listman.redhat.com/mailman/listinfo/pam-list





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []