[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: non setuid root applications are able to do authentication froma'secure' NIS server but why?



On Wed, 22 May 2002, Thomas Glanzmann wrote:

> On Wed, 22 May 2002, Thorsten Kukuk wrote:
>
> > On Wed, May 22, Thomas Glanzmann wrote:
> >
> > > Hi out there,
> > > I have a NIS Server serving a Password Database with entries like that:
> > >
> > > sithglan:##sithglan:31401:30003:Thomas Glanzmann, CIP Admin:/home/cip/adm/sithglan:/local/login/bin/env-csh
> > >
> > > This NIS Server also serves a map named passwd.adjunct.byname to source ports < 1024.
> > >
> > > And I have a pam enabled Linux application named xlock. This xlock application
> > > is able to do the password authentication for a user but why? Caches Linux PAM
> > > allready sucessfully authenticated passwords? Or is there another mechanism?
> > >
> > > If I try the same thing under Solaris the PAM enabled xlock application needs an
> > > root sbit to proceed. Has somebody an idea, how I can get Solaris to the same
> > > thing linux does? So that I don't have to put the xlock application setuid root?
> >
> > You don't tell anything about your PAM configuration, but I think
> > you use a PAM module, which calls an external setuid root helper
> > binary. As far as I know, pam_pwdb and pam_unix.so are doing so.
> >
> >   Thorsten
>
> Here is a list of my setuid binaries ...
>
>   # only some programms are set uid root
>   /bin/ping            owner=root group=root mode=4755 action=fixall checksum=md5
>   /bin/su              owner=root group=root mode=4755 action=fixall checksum=md5
>   /usr/bin/wall        owner=root group=tty  mode=4755 action=fixall checksum=md5
>   /usr/bin/at          owner=root group=root mode=4755 action=fixall checksum=md5
>   /usr/bin/write       owner=root group=tty  mode=4755 action=fixall checksum=md5
>   /usr/bin/traceroute  owner=root group=root mode=4755 action=fixall checksum=md5
>   /usr/sbin/sendmail   owner=root group=mail mode=4755 action=fixall checksum=md5
>   /usr/bin/crontab     owner=root group=root mode=4755 action=fixall checksum=md5
>   /usr/bin/ssh         owner=root group=root mode=4755 action=fixall checksum=md5
>
> But there still a few setgid root programms, but I thought that a setuid root is
> needed to bind a port less then 1024.
>
> Do you know the name of the setuid root helper or where I can read about it?
>
faui05c:/var/cfengine/inputs# ls -al /sbin/unix_chkpwd
-rwxr-xr-x    1 root     wheel       14508 Jan 21 21:25 /sbin/unix_chkpwd

but it isn't setuid root ... so how it works anyway?

FYI:

NAME
       unix_chkpwd - check the password of the invoking user

SYNOPSIS
       <not invoked manually>

DESCRIPTION
       A  helper  binary for the pam_unix module, unix_chkpwd, is
       provided to check the user's password when it is stored in
       a  read  protected  database,  such as shadow'd passwords.
       This binary is very simple and will only check  the  pass­
       word  of  the user invoking it. It is called transparently
       on behalf of the user by the authenticating  component  of
       the pam_unix module. In this way it is possible for appli­
       cations like xlock to work work without being setuid root.

USAGE
       This  program  is  not  intended  to be called directly by
       users and will log to syslog if it  is  called  imporperly
       (i.e., by some one trying exploit it).






[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []