[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: radiusd-freeradius history and future

On Thu, Nov 13, 2003 at 10:43:58AM +1100, Russell Coker wrote:
> On Thu, 13 Nov 2003 03:59, Andreas Metzler wrote:
>>> Also I believe that Lee's statement regarding NIS is incorrect,
>>> unix_chkpwd only does /etc/shadow.

>> testing.....

>> You are wrong, unix_chkpwd does NIS (at least in the szenario I just
>> tested). After changing unix_chkpwd from 4755 root:root to 2755
>> root:shadow a NIS user can not unlock the terminal he has just locked
>> himself with vlock anymore.

> I've just read the code more carefully.  It seems that the only NIS specific 
> code is the following:
> if (strcmp(pwd->pw_passwd, "*NP*") == 0) {      /* NIS+ */
> } else {
>   salt = x_strdup(pwd->pw_passwd);
> }

This seems to be code for NIS+, not NIS.

> Now if the program is SGID shadow (same as vlock incidentally) then the UID of 
> the process should already be the same as pwd->pw_uid and therefore it should 
> all work.

> Or do you have to be root for getpwnam() to work on NIS accounts?

In certain NIS configurations you can only access the hashed password
if your query to the NIS server comes from a privileged port <=1024,
i.e. afaict yes.

I should have stated this more clearly in my initial mail. I was in a
hurry, sorry.

> Could you please do some more tests on this?

If you tell me what exactly you want me to test I can run the test
(not tomorrow, but soon enough)
           cu andreas
PS: I am subscribed to -devel, please don't cc me, thanks.
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"

Reply to: