|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Laurence Withers (l
lwithers.me.uk)
Date: Tue Oct 02 2007 - 13:05:00 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
I have recently been setting up exim to authenticate SMTP logins via
PAM. This system does not use SELinux. /etc/pam.d/exim includes the
line:
account required pam_unix.so
When it comes to verifying account details (i.e. pam_sm_acct_mgmt() in
modules/pam_unix/pam_unix_acct.c), `_unix_shadowed(pwent)' is going to
return true since I have shadow passwords enabled. This means that PAM
will now try to access /etc/shadow.
The exim daemon does not run as root, however; it runs under the UID
mail. This obviously means that /etc/shadow (mode 0600) cannot be read
by the library, and so `pam_sm_acct_mgmt()' returns
PAM_AUTHINFO_UNAVAIL.
On the assumption that it is a valid thing for a non-root process to
check the validity of an account, I activated the SELinux-specific
`_unix_run_verify_binary()' code, and the call to it in
pam_sm_acct_mgmt(), so that the setuid unix_chkpwd helper binary is
called to retrieve the information from /etc/shadow. This works as
intended.
I have attached a patch with these changes, in the hope that it is
useful. However, I will admit that I simply don't have enough
experience to see if this has security implications or not. Please let
me know.
Bye for now,
--
Laurence Withers, <llwithers.me.uk>
http://www.lwithers.me.uk/
_______________________________________________
Pam-list mailing list
Pam-listredhat.com
https://www.redhat.com/mailman/listinfo/pam-list
- text/x-diff attachment: pam_unix.so-use-unix_chkpwd-for-accessing-shadow-when-not-root.patch
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]