[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: non setuid root applications are able to do authentication froma 'secure' NIS server but why?



On Wed, 22 May 2002, Thorsten Kukuk wrote:

> On Wed, May 22, Thomas Glanzmann wrote:
>
> > Hi out there,
> > I have a NIS Server serving a Password Database with entries like that:
> >
> > sithglan:##sithglan:31401:30003:Thomas Glanzmann, CIP Admin:/home/cip/adm/sithglan:/local/login/bin/env-csh
> >
> > This NIS Server also serves a map named passwd.adjunct.byname to source ports < 1024.
> >
> > And I have a pam enabled Linux application named xlock. This xlock application
> > is able to do the password authentication for a user but why? Caches Linux PAM
> > allready sucessfully authenticated passwords? Or is there another mechanism?
> >
> > If I try the same thing under Solaris the PAM enabled xlock application needs an
> > root sbit to proceed. Has somebody an idea, how I can get Solaris to the same
> > thing linux does? So that I don't have to put the xlock application setuid root?
>
> You don't tell anything about your PAM configuration, but I think
> you use a PAM module, which calls an external setuid root helper
> binary. As far as I know, pam_pwdb and pam_unix.so are doing so.
>
>   Thorsten

Here is a list of my setuid binaries ...

  # only some programms are set uid root
  /bin/ping            owner=root group=root mode=4755 action=fixall checksum=md5
  /bin/su              owner=root group=root mode=4755 action=fixall checksum=md5
  /usr/bin/wall        owner=root group=tty  mode=4755 action=fixall checksum=md5
  /usr/bin/at          owner=root group=root mode=4755 action=fixall checksum=md5
  /usr/bin/write       owner=root group=tty  mode=4755 action=fixall checksum=md5
  /usr/bin/traceroute  owner=root group=root mode=4755 action=fixall checksum=md5
  /usr/sbin/sendmail   owner=root group=mail mode=4755 action=fixall checksum=md5
  /usr/bin/crontab     owner=root group=root mode=4755 action=fixall checksum=md5
  /usr/bin/ssh         owner=root group=root mode=4755 action=fixall checksum=md5

But there still a few setgid root programms, but I thought that a setuid root is
needed to bind a port less then 1024.

Do you know the name of the setuid root helper or where I can read about it?

Greetings,
--
Thomas Glanzmann            +49 1212 5 269 38 260
Rathsbergerstrasse 28 D-91054 Erlangen / Burgberg





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []