Re: [Exim] PAM for SMTP auth

Top Page
Delete this message
Reply to this message
Author: Nigel Metheringham
Date:  
CC: Adrian Daminato, exim-users
Subject: Re: [Exim] PAM for SMTP auth
ph10@??? said:
> I'm afraid you cannot. Exim runs as "exim" when talking to remote
> hosts, when configured as recommended with its own uid. All I can
> suggest is that you somehow provide a setuid wrapper for PAM, but I
> don't know how this could be done.


There is a mechanism for doing this already - used for example by xlock
(which on all recent systems is *not* setuid or even setgid, but does
allow password checking even when shadow passwords are in use.

This appears to be part of the pam modules - specifically pam_pwdb - 
the manual entry reads:-
          A helper binary, pwdb_chkpwd, is provided to check the user's
          password when it is stored in a read protected database. This
          binary is very simple and will only check the password of the
          user invoking it. It is called transparently on behalf of the
          user by the authenticating component of this module. In this
          way it is possible for applications like xlock to work without
          being setuid-root.


however this has the serious problem that it will check only the
password of the current user - likely to be exim during an SMTP session.

Its probably worth taking this case up on the pam lists since it must
to some extent be a common problem. Running the whole thing as root is
a bad idea, as is using seteuid to jump back and forth.

My best solution so far is to have a small setuid binary that only
works if called by user exim and takes the user/pass through a pipe and
returns an appropriate exit code. Exim would obviously also need
modifying to use this. This does have the advantage of separating out
the authentication code in a way that allows easy substitution of any
other user database formats without touching exim itself.

    Nigel.
-- 
[ - Opinions expressed are personal and may not be shared by VData - ]
[ Nigel Metheringham                  Nigel.Metheringham@??? ]
[ Phone: +44 1423 850000                         Fax +44 1423 858866 ]