[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [leafnode-list] Question regarding authentification



Michael Faurot wrote:

> Cornelius Krasel <krasel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> : While dealing with Mark Brown's authinfo patch, I wrote an extension for
> : the nntpd which allows authinfo based on the contents of /etc/passwd and
> : /etc/shadow -- or so I thought. Obviously, the nntpd cannot access the
> : shadowed password file since it does not run as the superuser but as
> : user "news" instead. Therefore, I am curious as to what your opinion is.
> : I see at least the following possibilities:
> 
> : 1) Ignoring authentification based on /etc/shadow
> 
> : 2) Let the nntpd run on UID (or GID) 0
> 
> : 3) Have an own user/password file which is readable by news:news
> 
> : What do you think?
> 
> Why not write a seperate SUID program that could be called by nntpd.

I don't think this is a good idea because it overrides the additional
security provided by /etc/shadow. Any other program will be able to
call this suid program as well, and therefore there is no point in
using /etc/shadow any more.

--Cornelius.

-- 
/* Cornelius Krasel, U Wuerzburg, Dept. of Pharmacology, Versbacher Str. 9 */
/* D-97078 Wuerzburg, Germany   email: phak004@xxxxxxxxxxxxxxxxxxxxxx  SP4 */
/* "Science is the game we play with God to find out what His rules are."  */

-- 
leafnode-list@xxxxxxxxxxxxxxxxxxxxxxxxxxxx -- mailing list for leafnode
To unsubscribe, send mail with "unsubscribe" in the subject to the list