Re: Shadow passwords and GNU su

[marekm@i17linuxb.ists.pwr.wroc.pl (Marek Michalkiewicz)]

Christoph Lameter:
> You have to Add all the Webserver I guess since they can authenticate
> based on /etc/passwd. Also poppassd and the pop-clients.

Are you sure about web servers?  I thought they use their own
authentication databases...  I'd rather not run any web server
as root, or even as group "shadow" (a simple misconfiguration
can compromise the shadow password file).

poppassd is quite a big problem not because of shadow passwords,
but because it runs passwd on a pty and will break if messages
printed by passwd are changed.  A better solution is needed -
perhaps write part of poppassd in "expect" so it can be easily
changed?  (Problem: expect depends on tcl/tk which is big...)

BTW, poppassd should not run passwd as root.  It should run it as
the user, still specifying the username.  The old passwd should be
fixed to allow specifying username as long as it matches the UID
of the current user.

> I think this will be a long list. I dont think this will be easy.

This _was_ a long list, but most of the work is already done...

Marek


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com