On Wednesday 05 April 2006 19:56, David N. Welton wrote: > [EMAIL PROTECTED]:~# ls -l /sbin/unix_chkpwd > -rwxr-sr-x 1 root shadow 14988 Sep 12 2005 /sbin/unix_chkpwd > > Shadow file is ok: > > -rw-r----- 1 root shadow 1437 Apr 5 17:55 /etc/shadow > > I'm a little rusty with my unix security stuff, but... why is it even > launching this auxiliary program if it can't do anything it can't in the > first place? Also... why can't it read shadow? > > Ideas? This really should be possibility via some sort of *very, very* > simple setuid auth mechanism.
The manpage tells that unix_chkpwd will only check the password of the user invoking it. The webserver have to check the password of other users. -- .''`. Piotr Roszatycki : :' : mailto:[EMAIL PROTECTED] `. `' mailto:[EMAIL PROTECTED] `- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
