On Monday 10 July 2006 13:39, Alan J. Flavell took the opportunity to write:
> On Mon, 10 Jul 2006, Wayne Pascoe wrote:
> > On 10 Jul 2006, at 11:40, Tony Finch wrote:
> > > On Sun, 9 Jul 2006, Wayne Pascoe wrote:
> > > > server_condition = "${if pam{$2:$3}{1}{0}}"
> > >
> > > Does exim have read access to /etc/shadow?
> >
> > No, it didn't. Doh!
>
> Hang on - it's not supposed to, is it? The whole point of /etc/shadow
> is to hide the crypted tokens away. Then a mechanism is provided
> (PAM) for checking passwords without having to expose the shadow file.
The problem is that libpam is just a library. It doesn't get any privileges
that the process using it doesn't already have. The solution, besides adding
exim to the shadow group, is to use a method involving some daemon, e.g.
pam_ldap or pam_winbind (pam_mysql won't be any better since you need to
protect the password that gives access to the encrypted passwords).
--
Magnus Holmgren holmgren@???
(No Cc of list mail needed, thanks)
