[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: non setuid root applications are able to do authentication from a 'secure' NIS server but why?



On Wed, May 22, Thomas Glanzmann wrote:

> Hi out there,
> I have a NIS Server serving a Password Database with entries like that:
> 
> sithglan:##sithglan:31401:30003:Thomas Glanzmann, CIP Admin:/home/cip/adm/sithglan:/local/login/bin/env-csh
> 
> This NIS Server also serves a map named passwd.adjunct.byname to source ports < 1024.
> 
> And I have a pam enabled Linux application named xlock. This xlock application
> is able to do the password authentication for a user but why? Caches Linux PAM
> allready sucessfully authenticated passwords? Or is there another mechanism?
> 
> If I try the same thing under Solaris the PAM enabled xlock application needs an
> root sbit to proceed. Has somebody an idea, how I can get Solaris to the same
> thing linux does? So that I don't have to put the xlock application setuid root?

You don't tell anything about your PAM configuration, but I think
you use a PAM module, which calls an external setuid root helper
binary. As far as I know, pam_pwdb and pam_unix.so are doing so.

  Thorsten

-- 
Thorsten Kukuk       http://www.suse.de/~kukuk/        kukuk@suse.de
SuSE Linux AG        Deutschherrnstr. 15-19        D-90429 Nuernberg
--------------------------------------------------------------------    
Key fingerprint = A368 676B 5E1B 3E46 CFCE  2D97 F8FD 4E23 56C6 FB4B





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []