Jack> Not sure where the best place to ask this is so I'll try here.
Jack> How can an application (like the cyrus imap/pop server) validate a
Jack> userid/password from a /etc/shadow file using PAM. The server does not
Jack> run as root and it looks like only root programs can read and check
Jack> the /etc/shadow file.
Jack> There is some file called /sbin/pwdb_chkpwd that looks like it is
Jack> supposed to help/do this, but I've got no idea how to call it.
Here's how I understand it:
The service in question is configured (via its file in /etc/pam.d/ or
its entry in /etc/pam.conf) to use pam_pwdb for authentication, such
auth required /lib/security/pam_pwdb.so shadow nullok
pam_pwdb checks to see if the password is stored in shadow form
(and/or md5), and decides whether it needs pwdb_chkpwd or not. If so,
it runs it, and it gains, through its setuid bit, root privileges,
enough to verify the password and permit or deny the user based on
It is entirely automatic, as far as I understand it. Based on the
version of pam_pwdb and pwdb_chkpwd, it may support more than just
simple shadow passwords ... check with the documentation included with
it or check the version and look online for more information.
If all else fails, grab the source and see what's going on. I
admittedly haven't done this, as I do have faith in the PAM crew.
(Sorry, I don't have the URL handy at this time.)
I have no idea as to cyrus' status with pam authentication. If it
does include it, then it should not be a problem to have cyrus
authenticate against a shadow password scheme.