[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [leafnode-list] Question regarding authentification

To: leafnode-list@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Subject: Re: [leafnode-list] Question regarding authentification
From: jrd@xxxxxxxxxxxx (John R. Dennison)
Date: by ns (mbox horst.fischer)(with Cubic Circle's cucipop (v1.31 1998/05/13) Thu Jul 22 20:53:05 1999)

In previous mail, Thomas Bader spouted...
> 
> I think, you can use /bin/login to test, if the password and username
> are right. But I don't know, how it works, it just an idea.

	Not in such an application, no.

> IMHO it is really usefull, when there's *one* passwordfile in the
> system, which is used from all services, which run on the machine. You
> really know the problem, when you change the password of one user with
> 'passwd' you must change it with smbpasswd and htpasswd too, which takes
> a lot of time.

	/etc/{passwd,shadow} is for interactive access to the system, not
	for non-login services.  People that use it as such are foolish.

	SMB and httpd and INN/nnrpd have seperate files for a reason;
	security.  These are not system components, no matter how you
	would care to think of them, and as such, they get seperate 
	files for authentication purposes.

	From a security standpoint, use /etc/leafnode.pw or similar.

> My other idea is, that you can copy /etc/shadow and give the new file
> the permission 600 news.news, in this case you have two files, one file
> is only readable from root and one file is only readable from news. When
> you run nntpd initial as root, it can copy the /etc/shadow to
> /etc/nntp.shadow ie. and give it the needed permissions. (And you could
> modify '/bin/passwd' that it sends a SIGHUP to nntpd, when a passwort is
> changed.)

	Can you say race condition?  These bits would NEVER get installed on
	any machine under my jurisdictional control.

> BTW: Don't laugh at me, the ideas above are only ideas, I'm not an
> expert.

	Not laughing at you by any means.  Just wanted to point out that
	using a system access control file for a non-system purpose is
	just not right by any means.




						John R. Dennison
						SysAdmin and Security Guy


-- 
"Whenever two people meet, there are really six people present. There is each
man as he sees himself, each man as the other person sees him, and each man
as he really is."
-- William James

-- 
leafnode-list@xxxxxxxxxxxxxxxxxxxxxxxxxxxx -- mailing list for leafnode
To unsubscribe, send mail with "unsubscribe" in the subject to the list

References:
- Re: [leafnode-list] Question regarding authentification
  - From: Thomas Bader

Prev by Date: Re: [leafnode-list] Question regarding authentification
Next by Date: Re: [leafnode-list] fetchnews
Previous by thread: Re: [leafnode-list] Question regarding authentification
Next by thread: Re: [leafnode-list] Question regarding authentification
Index(es):
- Date
- Thread