On Wed, Nov 12, 2003 at 03:36:40PM +1100, Russell Coker wrote:
> On Wed, 12 Nov 2003 13:47, Matt Zimmerman wrote:
[...]
> unix_chkpwd is a reasonable solution to this.
>>> One possible solution to this is to have a special GID for
>>> non-root programs which are allowed to check passwords. I would
>>> be happy to code this if someone else wants to do the testing...
>> We already have such a group, named "shadow". In fact, I don't
>> know why unix_chkpwd is setuid root rather than setgid shadow.
> Bug report #155583 has been open for over a year. I have repeated
> the tests of Lee and Robert and verified that it works fine as
> SETGID rather than SETUID.
> Also I believe that Lee's statement regarding NIS is incorrect, unix_chkpwd
> only does /etc/shadow.
testing.....
You are wrong, unix_chkpwd does NIS (at least in the szenario I just
tested). After changing unix_chkpwd from 4755 root:root to 2755
root:shadow a NIS user can not unlock the terminal he has just locked
himself with vlock anymore.
The NIS-server is configured with
* : * : shadow.byname : port
* : * : passwd.adjunct.byname : port
and
MERGE_PASSWD=false
cu andreas
