Re: [exim] Problems with TLS and SMTP authentication

On Mon, Jul 10, 2006 at 01:00:53PM +0100, Tony Finch wrote:
> On Mon, 10 Jul 2006, Alan J. Flavell wrote:
> >
> > Hang on - it's not supposed to, is it? The whole point of /etc/shadow
> > is to hide the crypted tokens away. Then a mechanism is provided
> > (PAM) for checking passwords without having to expose the shadow file.
>
> PAM works using shared libraries. It doesn't provide any route around
> Unix's usual security boundaries.

There's typically a setuid helper which pam_unix calls,
isn't there? Usually called unix_chkpwd or pwdb_chkpwd.
It's invoked when pam_unix fails to obtain the password
hash itself with getsp*. However, it can only be used to
test the password of the user calling the program (exim in
this case) and is therefore no use for this application. I
think the idea is to be able to implement something like
xlock without any privileged code outside PAM.

One could patch PAM to relax the constraint on calling
user, of course.

--
``Depending on your age, you will either be singing a song about
clockwork mice who fix things, or thinking, oh my god, someone
has left Edward Heath under the grill.''
(Caitlin Moran; attrib. caption under a picture of Bagpuss)