[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: radiusd-freeradius history and future

On Wed, 12 Nov 2003 13:47, Matt Zimmerman wrote:
> On Wed, Nov 12, 2003 at 01:23:02PM +1100, Russell Coker wrote:
> > Allowing a RADIUS server to authenticate local users against /etc/shadow
> > is standard and expected functionality IMHO.  I consider any RADIUS
> > server which can't authenticate against the local accounts database to be
> > severely broken.
>
> I disagree; I wouldn't let any of these RADIUS implementations near my
> shadow file.

unix_chkpwd is a reasonable solution to this.

> > One possible solution to this is to have a special GID for non-root
> > programs which are allowed to check passwords.  I would be happy to code
> > this if someone else wants to do the testing...
>
> We already have such a group, named "shadow".  In fact, I don't know why
> unix_chkpwd is setuid root rather than setgid shadow.

Bug report #155583 has been open for over a year.  I have repeated the tests 
of Lee and Robert and verified that it works fine as SETGID rather than 
SETUID.

Also I believe that Lee's statement regarding NIS is incorrect, unix_chkpwd 
only does /etc/shadow.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page
Reply to: