PAM has no special privleges. PAM library call run with the same privilege
level as the calling program. Therefore, not even the user 'cyrus' can
authenticate without permissions set to 444. With that said and your
obvious experience to the contrary, are you talking about cyrus
authenticating from an email client package or the user cyrus
authenticating via cyradm? If the latter, are you running with root
privoleges when you authenticate as user cyrus? I'm just trying to figure
out what might be different when you authenticate as cyrus as oppossed to
any other user because basically, the cyrys login should fail too if
/etc/shadow is root readable only.
BTW, better than setting /etc/shadow to 444, set the permissions to 440 and
make sure that imapd runs under a group that has group read privileges in
/etc/shadow -- but make sure no other non-privileged program run as that
group. I presume that imap was built to run as group "mail" which is
pretty standard. One solution would be to rebuild imap to run as user
"cyrus" and group "cyrus" and don't user group "cyrus" for anything else.
Now change /etc/shadow to be owned by user "root" and group "cyrus", and
set the perms to 440. This is less of a compromise. Other options include
running the pwcheck daemon which avoids any changes to /etc/shadow. And
probably the best choice is to use LDAP which, again, requires no special
privileges.
But yes, I am perplexed as to why user 'cyrus' can authenticate. You are
obviously doing something different with user 'cyrus' although what that
difference is may not be quite so obvious.
-- Rob
--On Thursday, August 09, 2001 08:40:58 AM -0500 Tyrone Vaughn
<[EMAIL PROTECTED]> wrote:
> I have done six implementations of Cyrus (2.0.11 - 2.0.16) and in each
> one I have the same problem. No user, other than cyrus, can
> authenticate unless I make the shadow file 444 verses it original 400.
>
> Pertinent information:
> OS's -- RH 6.2, 7.0 & Mandrake 7.2, 8.0
> Cyrus -- 2.0.11 - 2.0.16
> Sasl -- 1.5.24
>
> /etc/imapd.conf --
> sasl_pwcheck_method: PAM
>
> /usr/lib/sasl/Cyrus.conf --
> pwcheck_method: PAM
>
> Any ideas? Anyone seen this before?
>
> Thanks!
>
> Tyronee
>
> --
> "A wise man will make more opportunites than he finds."
>
> Francis Bacon
_ _ _ _ _ _ _ _ _ _
/\_\_\_\_\ /\_\ /\_\_\_\_\_\
/\/_/_/_/_/ /\/_/ \/_/_/_/_/_/ QUIDQUID LATINE DICTUM SIT,
/\/_/__\/_/ __ /\/_/ /\/_/ PROFUNDUM VIDITUR
/\/_/_/_/_/ /\_\ /\/_/ /\/_/
/\/_/ \/_/ /\/_/_/\/_/ /\/_/ (Whatever is said in Latin
\/_/ \/_/ \/_/_/_/_/ \/_/ appears profound)
Rob Tanner
UNIX and Networks Manager
Linfield College, McMinnville OR
(503) 434-2558 <[EMAIL PROTECTED]>
