On Wed, 27 Feb 2002 06:23:58 EST, Michael Mitton said: > Even with PAM you need to be root. I had this trouble myself and ended up > writing a helper script that ran suid as root and passed login info via > pipes. If you are not root, it seems to only auth the user your are > running your script as.
Very true - but on the *other* hand - under what conditions do you *want*
to be able to authenticate as some other user? That's a big security hole.
1) Unless you're very careful, the progam can then be used as a password
guesser for another userid. You can even automate it using XTest or similar.
2) Since you're still running as yourself, authenticating as somebody else
doesn't do squat for you - you only have your own access permissions.
You *could* invoke or contact something else - but *that* something should
be doing its *own* authentication. For instance, having your program
shout down a named pipe "Yeah, it's really the other guy" is broken
security wise - the program at the other end of the pipe needs to verify
*for itself* that whatever is at the sending end is who it claims to be.
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
msg08210/pgp00000.pgp
Description: PGP signature
