Quoting Slavko (2013-01-09 18:25:22) > Dňa Tue, 08 Jan 2013 22:05:12 +0100 Guillaume Ayoub > <guillaume.ay...@kozea.fr> napísal: > > > > > It can be a solution, not really clean but much easier. > > > > It seems as bad solution, because this was working only when the > radicale was run under root. Running the radicale server under another > user results in fail to login :-( > > I was playing with the pam module out of radicale, and it seems, that > this module works under root and under user, which is trying to login. > But the login fails under another users and this is bad. But perhaps i > was doing something wrong... > > I am sorry, i will don't use radicale more.
You most likely use PAM with shadow passwords. Then by design only root and users in shadow group can succesfully authenticate. Tools like login runs as root - i.e. has setuid bit set: more info with this command: info coreutils 'Mode Structure' You can test if that is the case, by temporarily "lowering the fence" and disable shadow passwords with this command: shadowconfig off Don't do that in production, however - there is a good reason shadow config is activated! For a daemon to sanely use PAM against shadow passwords, something needs to run as trusted. Ideally not the whole daemon, but only a tiny isolated tool which can be easier security audited. One (relatively complex) way to get around the limitations of this is to use LDAP. Another less common one is to use poppassd and lock it down to only serve on localhost. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
