Re: Auth with PAM

[Brian May <bam@debian.org>]

>>>>> "Tim" == Tim Dijkstra <tim@famdijkstra.org> writes:

    Tim> It does, it has a set of functions for doing pam
    Tim> authentication. It's about exim. The problem is it runs as
    Tim> mail:mail so it can't handele /etc/shadow.

libpam-modules has this setuid helper program:

-rwsr-xr-x    1 root     root        14508 Jan 22 07:25 /sbin/unix_chkpwd*

so if your program does the right thing with PAM, and uses the correct
PAM modules (pam_unix.so), everything should "just work" without have
any special privileges.

At least, that is my understanding from the man page of unix_chkpwd:

       A  helper  binary for the pam_unix module, unix_chkpwd, is
       provided to check the user's password when it is stored in
       a  read  protected  database,  such as shadow'd passwords.
       This binary is very simple and will only check  the  pass­
       word  of  the user invoking it. It is called transparently
       on behalf of the user by the authenticating  component  of
       the pam_unix module. In this way it is possible for appli­
       cations like xlock to work work without being setuid root.

xlock is:

scrooge:~# ls -l /usr/X11R6/bin/xlock 
-rwxr-xr-x    1 root     root       825744 Jan 16 02:11 /usr/X11R6/bin/xlock

not setuid or setgid, and I can only presume that it works even with a
shadow password file (I use LDAP).


However, then I see that xscreensaver is setgid shadow:

-rwxr-sr-x    1 root     shadow     229532 Nov  7 03:25 /usr/bin/xscreensaver*

so maybe this is a bug in xscreensaver?
-- 
Brian May <bam@debian.org>