Hi Martin, On Tue, Aug 02, 2005 at 03:19:10PM +0200, Martin Pitt wrote: > In Ubuntu we now install unix_chkpwd with setgid shadow by default to > eliminate this rather useless suid root program:
> http://patches.ubuntu.com/patches/pam.unix_chkpwd-deroot.diff Well, I've recently received a patch that originates from Red Hat's PAM tree, which adds support for using unix_chkpwd as a password *changing* helper as well. I'm actually not too thrilled with the code itself, but it seems that at least some people believe this is necessary for SELinux-enabled systems with certain policies; and using unix_chkpwd as a password-changing helper does seem to preclude dropping the suid bit, since /etc/shadow is not group-writable (nor should it be). I'm happy to see the privileges of unix_chkpwd reduced, as long as we can do this in a way that's also meets the needs of SELinux users. -- Steve Langasek postmodern programmer
signature.asc
Description: Digital signature
