[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: radiusd-freeradius history and future

On Wed, Nov 12, 2003 at 03:36:40PM +1100, Russell Coker wrote:
> On Wed, 12 Nov 2003 13:47, Matt Zimmerman wrote:
> unix_chkpwd is a reasonable solution to this.
>>> One possible solution to this is to have a special GID for
>>> non-root programs which are allowed to check passwords.  I would
>>> be happy to code this if someone else wants to do the testing...

>> We already have such a group, named "shadow".  In fact, I don't
>> know why unix_chkpwd is setuid root rather than setgid shadow.
> Bug report #155583 has been open for over a year.  I have repeated
> the tests of Lee and Robert and verified that it works fine as
> SETGID rather than SETUID.
> Also I believe that Lee's statement regarding NIS is incorrect, unix_chkpwd 
> only does /etc/shadow.


You are wrong, unix_chkpwd does NIS (at least in the szenario I just
tested). After changing unix_chkpwd from 4755 root:root to 2755
root:shadow a NIS user can not unlock the terminal he has just locked
himself with vlock anymore.

The NIS-server is configured with
*                          : *       : shadow.byname    : port
*                          : *       : passwd.adjunct.byname : port


            cu andreas

Reply to: