>>>>> "Tim" == Tim Dijkstra <[EMAIL PROTECTED]> writes:
Tim> It does, it has a set of functions for doing pam
Tim> authentication. It's about exim. The problem is it runs as
Tim> mail:mail so it can't handele /etc/shadow.
libpam-modules has this setuid helper program:
-rwsr-xr-x 1 root root 14508 Jan 22 07:25 /sbin/unix_chkpwd*
so if your program does the right thing with PAM, and uses the correct
PAM modules (pam_unix.so), everything should "just work" without have
any special privileges.
At least, that is my understanding from the man page of unix_chkpwd:
A helper binary for the pam_unix module, unix_chkpwd, is
provided to check the user's password when it is stored in
a read protected database, such as shadow'd passwords.
This binary is very simple and will only check the passĀ
word of the user invoking it. It is called transparently
on behalf of the user by the authenticating component of
the pam_unix module. In this way it is possible for appliĀ
cations like xlock to work work without being setuid root.
xlock is:
scrooge:~# ls -l /usr/X11R6/bin/xlock
-rwxr-xr-x 1 root root 825744 Jan 16 02:11 /usr/X11R6/bin/xlock
not setuid or setgid, and I can only presume that it works even with a
shadow password file (I use LDAP).
However, then I see that xscreensaver is setgid shadow:
-rwxr-sr-x 1 root shadow 229532 Nov 7 03:25 /usr/bin/xscreensaver*
so maybe this is a bug in xscreensaver?
--
Brian May <[EMAIL PROTECTED]>
