Re: radiusd-freeradius history and future

To: debian-devel@lists.debian.org
Subject: Re: radiusd-freeradius history and future
From: Matt Zimmerman <mdz@debian.org>
Date: Tue, 11 Nov 2003 21:47:30 -0500
Message-id: <[🔎] 20031112024730.GM9377@dijkstra.csh.rit.edu>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 200311121323.02750.russell@coker.com.au>
References: <20030111000253.29887.qmail@oak.oeko.net> <[🔎] 20031112010727.GD27802@dat.etsit.upm.es> <[🔎] 20031112014038.GJ9377@dijkstra.csh.rit.edu> <[🔎] 200311121323.02750.russell@coker.com.au>

On Wed, Nov 12, 2003 at 01:23:02PM +1100, Russell Coker wrote:

> Allowing a RADIUS server to authenticate local users against /etc/shadow
> is standard and expected functionality IMHO.  I consider any RADIUS server
> which can't authenticate against the local accounts database to be
> severely broken.

I disagree; I wouldn't let any of these RADIUS implementations near my
shadow file.

> One possible solution to this is to have a special GID for non-root
> programs which are allowed to check passwords.  I would be happy to code
> this if someone else wants to do the testing...

We already have such a group, named "shadow".  In fact, I don't know why
unix_chkpwd is setuid root rather than setgid shadow.

-- 
 - mdz

Reply to:

Follow-Ups:
- Re: radiusd-freeradius history and future
  - From: Russell Coker <russell@coker.com.au>

References:
- Re: radiusd-freeradius history and future
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>
- Re: radiusd-freeradius history and future
  - From: Matt Zimmerman <mdz@debian.org>
- Re: radiusd-freeradius history and future
  - From: Russell Coker <russell@coker.com.au>

Prev by Date: Re: radiusd-freeradius history and future
Next by Date: Re: Version Updating Question
Previous by thread: Re: radiusd-freeradius history and future
Next by thread: Re: radiusd-freeradius history and future
Index(es):
- Date
- Thread