Re: radiusd-freeradius history and future
On Wed, Nov 12, 2003 at 01:23:02PM +1100, Russell Coker wrote:
> Allowing a RADIUS server to authenticate local users against /etc/shadow
> is standard and expected functionality IMHO. I consider any RADIUS server
> which can't authenticate against the local accounts database to be
> severely broken.
I disagree; I wouldn't let any of these RADIUS implementations near my
shadow file.
> One possible solution to this is to have a special GID for non-root
> programs which are allowed to check passwords. I would be happy to code
> this if someone else wants to do the testing...
We already have such a group, named "shadow". In fact, I don't know why
unix_chkpwd is setuid root rather than setgid shadow.
--
- mdz
Reply to: