Re: radiusd-freeradius history and future
Russell Coker <russell@coker.com.au> wrote:
> On Thu, 13 Nov 2003 11:15, Andreas Metzler <ametzler@downhill.at.eu.org>
> wrote:
>> > Or do you have to be root for getpwnam() to work on NIS accounts?
>> In certain NIS configurations you can only access the hashed password
>> if your query to the NIS server comes from a privileged port <=1024,
>> i.e. afaict yes.
> This is so ugly.
> Maybe we should have a debconf option for whether the program in
> question is to be SETUID root or SETGID shadow? Then the minority
> of people who use NIS can have full functionality, while the
> majority of people who don't use NIS can have better security.
Sounds feasible. (Of course if you insist you can already use
dpkg-statoverride today), a patch would look like this:
config
if ! dpkg-statoverride --list /sbin/unix_chkpwd 1>/dev/null 2>&1 ; then
# check if we are installing suid or not
RET=false
db_input medium libpam-modules/unix_chkpwd_SUID_bit || true
db_go
fi
postinst:
if [ "$1" = "configure" ] ; then
# do nothing if local admin has overriden the permissions
if ! dpkg-statoverride --list /sbin/unix_chkpwd 1>/dev/null 2>&1 ; then
RET=false
db_get libpam-modules/unix_chkpwd_SUID_bit
if [ "$RET" = "true" ]; then
chown root:root /sbin/unix_chkpwd
chmod 4755 /sbin/unix_chkpwd
else
chown root:shadow /sbin/unix_chkpwd
chmod 2755 /sbin/unix_chkpwd
fi
fi
fi
cu andreas
Reply to: