Re: radiusd-freeradius history and future
On Wed, 12 Nov 2003 13:47, Matt Zimmerman wrote:
> On Wed, Nov 12, 2003 at 01:23:02PM +1100, Russell Coker wrote:
> > Allowing a RADIUS server to authenticate local users against /etc/shadow
> > is standard and expected functionality IMHO. I consider any RADIUS
> > server which can't authenticate against the local accounts database to be
> > severely broken.
>
> I disagree; I wouldn't let any of these RADIUS implementations near my
> shadow file.
unix_chkpwd is a reasonable solution to this.
> > One possible solution to this is to have a special GID for non-root
> > programs which are allowed to check passwords. I would be happy to code
> > this if someone else wants to do the testing...
>
> We already have such a group, named "shadow". In fact, I don't know why
> unix_chkpwd is setuid root rather than setgid shadow.
Bug report #155583 has been open for over a year. I have repeated the tests
of Lee and Robert and verified that it works fine as SETGID rather than
SETUID.
Also I believe that Lee's statement regarding NIS is incorrect, unix_chkpwd
only does /etc/shadow.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
Reply to: