pam_unix opens /etc/shadow as regular user
Jonathan DeSena
jonathan.desena at jhuapl.edu
Fri Jan 27 21:18:25 UTC 2006
On Fri, 27 Jan 2006 14:49:43 +0100, Thorsten Kukuk wrote:
> On Fri, Jan 27, Jonathan DeSena wrote:
>
>> I have a simple patch that works for me (see below), but perhaps there
>> is a better way. I believe this issue should be resolved in the
>> mainline, especially as auditing in Linux becomes more common.
>
> The fix is wrong, you don't need setuid root permissions to read
> /etc/shadow. You can solve the access problems with setgid or ACLs, too.
> So it is impossible to implement a correct check without trying to open
> the file.
After being exposed to some alternative configurations (thanks also to Les
for pointing out the web server example to me), I now see why my simple
solution does not work in general. For my limited case -- no one but root
can access the shadow file -- my patch is probably okay.
Unfortunately, the other solutions seem unsatisfying. Options seem to be:
1) install apps setuid root
2) open up shadow to a special group and add the authenticating
application's user to that group
3) do not use pam_unix
4) live with the entries in audit log (assume auditing is enabled)
5) add option to pam_unix to skip right to the helper binary
If you have a case such as the web server example, only 1-3 work.
Instead you could use a suid helper binary that allows any user to be
authenticated, which has been discussed before on this list (generally
thought to NOT be a good idea, but does not seem any worse to me than 1 or
2). This still leaves the audit log entries unless 5 is also used.
Perhaps this is best left to the distributions and individual sys admins
for now. Though, ideally a more general solution would be available.
Thanks again,
Jon
More information about the Pam-list
mailing list