|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: skeyinit and lock - login class data unavailable (side effect of login_ldap permissions for login.conf)
From: Todd C. Miller (Todd.Miller
courtesan.com)
Date: Fri Sep 01 2006 - 18:26:03 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
In message <b1468e300608300914t77b2dedfwf510e9c1e58af056mail.gmail.com>
so spake "Rogier Krieger" (rkrieger):
> Is there a way to open up login.conf without divulging the bindpw?
> Reading the login_ldap and login.conf man pages, I did not find any.
>
> So far, I see two possible remedies: [1] patching login_ldap to obtain
> sensitive data in a similar way as login_radius does from /etc/raddb
> or [2] make /etc/login.conf readable to the 'auth' group, as both lock
> and skeyinit have their SGID bits set.
>
> Since [2] is less intrusive, I am inclined to take that route. Are
> there any setbacks to expect? Other suggestions are more than welcome,
> of course.
I would suggest you go with [2]. There shouldn't be any real
downside.
- todd
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]