On Sunday 03 August 2003 12.09, Andrew Bartlett wrote:
> I think this really should be up to the admin - it should be
> clearly documented, but if you are using something like
> pam_winbind, you don't need this, or the risks it exposes. If we
> don't supply the a default pam config file, then we shouldn't add
> the setuid by default. (If we do, then we should set it
> appropriate for the file as listed)
There is intentionally no pam config file shipped with the helper. The
admin is assumed to know PAM administration and to read documentation
when installing this helper. There is a man page which mentions what
needs to be known regarding the use of the helper.
The PAM helper is really meant as a last-resort helper. Where possible
the stand-alone helpers should be used. I can not count the number of
times I have told people to use the stand-alone helpers instead (even
get questions on how to specify which password file to use with
pam_auth...).
The pam_auth manual page says
When used for authenticating to local UNIX shadow password
databases the program must be running as root or else it
won't have sufficient permissions to access the user pass�
word database. Such use of this program is not recom�
mended, but if you absolutely need to then make the pro�
gram setuid root
chown root pam_auth
chmod u+s pam_auth
Please note that in such configurations it is also
strongly recommended that the program is moved into a
directory where normal users cannot access it, as this
mode of operation will allow any local user to brute-force
other users passwords. Also note the program has not been
fully audited and the author cannot be held responsible
for any security issues due to such installations.
Which I think expresses my opion in this matter quite clearly.
Regards
Henrik
