On Wed, 12 Nov 2003 13:47, Matt Zimmerman wrote: > On Wed, Nov 12, 2003 at 01:23:02PM +1100, Russell Coker wrote: > > Allowing a RADIUS server to authenticate local users against /etc/shadow > > is standard and expected functionality IMHO. I consider any RADIUS > > server which can't authenticate against the local accounts database to be > > severely broken. > > I disagree; I wouldn't let any of these RADIUS implementations near my > shadow file.
unix_chkpwd is a reasonable solution to this. > > One possible solution to this is to have a special GID for non-root > > programs which are allowed to check passwords. I would be happy to code > > this if someone else wants to do the testing... > > We already have such a group, named "shadow". In fact, I don't know why > unix_chkpwd is setuid root rather than setgid shadow. Bug report #155583 has been open for over a year. I have repeated the tests of Lee and Robert and verified that it works fine as SETGID rather than SETUID. Also I believe that Lee's statement regarding NIS is incorrect, unix_chkpwd only does /etc/shadow. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
