[12251] in bugtraq
PAM applications running as root (Was Re: WebTrends Enterprise
daemon@ATHENA.MIT.EDU (Darren Moffat)
Fri Oct 15 12:39:51 1999
Mime-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Content-Md5: gJjtUHSFC+dOlrjcPPhMVQ==
Message-Id: <199910142152.WAA08467@otis.UK.Sun.COM>
Date: Thu, 14 Oct 1999 14:52:59 -0700
Reply-To: Darren Moffat <darren.moffat@sunuk.UK.Sun.COM>
From: Darren Moffat <darren.moffat@SUNUK.UK.SUN.COM>
X-To: manos@TKI.NET
To: BUGTRAQ@SECURITYFOCUS.COM
>You can run the server as root or as some other user. In order to use PAM
>(Pluggable Authentication Module) it has to run as root.
A general comment about PAM rather than this specific problem.
It is NOT a requirement of the PAM framework that application be running as
root. There are two cases though that make login type applications need to
run as root.
1) The password is stored in /etc/shadow which only root can read
If the password was in NIS/NIS+/LDAP then the authentication
could succeed are an ordinary user.
2) the login application needs to make setuid/setgid calls this
usually happens in the application after PAM authentication has
been completed and is thus nothing to do with PAM.
If the OS has privileges/capabilities then the application would
assert PROC_SETID/CAP_SETID instead of being root to make the
setuid/setgid calls.
--
Darren J Moffat
This posting is my own opinion and does not constitute official
support from Sun Microsystems Inc.
