[ On Thursday, October 12, 2000 at 15:32:31 (+0100), Nigel Metheringham wrote: ]
> Subject: Re: [Exim] Security Considerations (AUTH + shadow)
>
> lgrochal@??? said:
> > Still - this is not the way, I believe. I'd rather use PAM to do the
> > authentication.
>
> PAM doesn't help - it has no more privileges to read shadow than any
> other process or library. [Actually some implementations have a setuid
> shadow password checker, *but* they only work for checking the password
> of the user associated with the calling UID).
Exactly. If you want something reasonably secure that won't by default
have access to the full /etc/shadow (or /etc/spw.db or whatever)
contents all at once then you have to use some intermediary agent (and
none of the NIS/YP family really qualify here because they have other
enormous security implications).
One possibility comes to mind: Cyrus SASL which has a little AF_LOCAL
(local domain sockets) server (pwcheck) that runs in some state of
enhanced privilege necessary to access the password database and which
will accept a user-id and password and check it and provide a
"yeah/neah" answer (i.e. the stored secret is never even given back to
the client so it's impossible to harvest secrets without playing
guessing games).
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods@???> <robohack!woods>
Planix, Inc. <woods@???>; Secrets of the Weird <woods@???>