Re: [Exim] Exim and PAM, again

On 13-Sep-00 at 07:01, Nigel Metheringham (Nigel.Metheringham@???)
wrote: > I think, although I would like confirmation of this, that its
> impossible to use PAM with exim on most shadow password based systems,
> because exim mostly runs as non-root (unless your configuration does
> otherwise) and you cannot see into shadow password files as non-root.
> [RH has a helper to get round that *but* it only works for checking the
> password related to the UID that you are currently running as]

Cyrus IMAP has a daemon for getting around that - the daemon runs
as root and handles requests through a unix-domain socket which is
protected through the standard unix filesystem permissions. The
request is in the form of a username and password; and the response
is a pass/fail indication. Since the daemon is very simple and single-
purpose, it is safer than giving an entire app read permission on
your shadow password file via group permissions.

It shouldn't be too difficult to extend exim to use the pwcheck daemon.

Of course we'd already have that option if Exim used the Cyrus libsasl
for the SASL authentication lookups...



-Pat