[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: radiusd-freeradius history and future

On Wed, Nov 12, 2003 at 01:23:02PM +1100, Russell Coker wrote:

> Allowing a RADIUS server to authenticate local users against /etc/shadow
> is standard and expected functionality IMHO.  I consider any RADIUS server
> which can't authenticate against the local accounts database to be
> severely broken.

I disagree; I wouldn't let any of these RADIUS implementations near my
shadow file.

> One possible solution to this is to have a special GID for non-root
> programs which are allowed to check passwords.  I would be happy to code
> this if someone else wants to do the testing...

We already have such a group, named "shadow".  In fact, I don't know why
unix_chkpwd is setuid root rather than setgid shadow.

 - mdz

Reply to: