Hi Marcin, On Fri, Oct 09, 2009 at 09:43:45PM +0200, Marcin Szewczyk wrote: > Am I the only one, who thinks that giving anything a privilege to read > /etc/shadow while using PAM is a complete misunderstanding of how PAM works? No. I found this report while trying to reduce the duplication in password databases on our company server. And I can't stop shaking my head about this "trick".
1) /etc/shadow should not be readable by any network services (at least not directly). There is a reason why pam uses a suid helper to read it... See unix_chkpwd(8). Why a program not intended to be called directly from the command line is sitting in /sbin is beyond me though... 2) The whole idea of PAM is to abstract away the underlying authentication source. We are going via LDAP here, so having it access /etc/shadow would not help in any way... If you open up access to /etc/shadow you are doing something very wrong. Greetings, Torsten -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
