pam_unix opens /etc/shadow as regular user
Les Mikesell
les at futuresource.com
Mon Jan 30 16:33:30 UTC 2006
On Mon, 2006-01-30 at 09:33, Jonathan DeSena wrote:
> I will probably do the latter for now, at least. The modification to
> the audit policy that would help would be to not log accesses of
> /etc/shadow by certain programs running as non-root (only xscreensaver in
> our environment). Unfortunately, SNARE does not support filtering by
> program name, only user. Regardless, I do not think this would be an
> allowable change. I also enumerated some other possibilities in a previous
> post.
>
> Thanks to all for helping to point out the limitations of my simple patch.
> I now understand better when it will and will not work. That is why I
> posted it to the list.
>
> I would still appreciate any additional comments on how to best resolve
> the auditing issue.
If there was a simple solution, someone would have done it long
ago. You either need to grant access to the file by the programs
that need it, or you need a suid helper to do it for you. Flip
a coin as to which approach is less likely to introduce security
bugs.
--
Les Mikesell
les at futuresource.com
More information about the Pam-list
mailing list