pam_unix opens /etc/shadow as regular user
Les Mikesell
les at futuresource.com
Fri Jan 27 17:30:32 UTC 2006
On Fri, 2006-01-27 at 10:30, Jonathan DeSena wrote:
> On Fri, 27 Jan 2006 16:17:46 +0100, Thorsten Kukuk wrote:
> > You don't need super-user rights, you only need the correct rights. And
> > this depends on which mode and owner/group /etc/shadow has. With
> > super-user rights you can of course always read it.
>
> Okay, now I understand what you meant. It is true that the
> permissions shadow file COULD be anything, however, it is traditional
> (I expected standard) that it be owned by root:root with permissions 0400.
> If not, it loses the whole point of the shadow file -- hiding passwords
> from regular users. Should not pam_unix EXPECT traditional permissions on
> /etc/shadow, given that it is the "standard Unix authentication module"?
The common exception is where you want web authentication to
use pam and one of the methods you want to include is
the system password file. In this case you have to give
httpd read access, probably by making shadow group apache
and group readable. If you are proposing a change that makes
this unnecessary, then root:root might be reasonable.
--
Les Mikesell
lesmikesell at gmail.com
More information about the Pam-list
mailing list