On Wed, Nov 12, 2003 at 01:23:02PM +1100, Russell Coker wrote: > Allowing a RADIUS server to authenticate local users against /etc/shadow > is standard and expected functionality IMHO. I consider any RADIUS server > which can't authenticate against the local accounts database to be > severely broken.
I disagree; I wouldn't let any of these RADIUS implementations near my shadow file. > One possible solution to this is to have a special GID for non-root > programs which are allowed to check passwords. I would be happy to code > this if someone else wants to do the testing... We already have such a group, named "shadow". In fact, I don't know why unix_chkpwd is setuid root rather than setgid shadow. -- - mdz
