PAM, Shadow Passwords, non-root users

PAM, Shadow Passwords, non-root users

Post by Jack Snodgra » Fri, 09 Jul 1999 04:00:00



Not sure where the best place to ask this is so I'll try here.

How can an application (like the cyrus imap/pop server) validate a
userid/password from a /etc/shadow file using PAM. The server does not
run as root and it looks like only root programs can read and check
the /etc/shadow file.

There is some file called /sbin/pwdb_chkpwd that looks like it is
supposed to help/do this, but I've got no idea how to call it.

Any info would be appreciated.

--


ICQ# 27979473  <img src="http://logos.*mail.net/*cool.gif">

 
 
 

PAM, Shadow Passwords, non-root users

Post by William Evan » Fri, 09 Jul 1999 04:00:00


    Jack> Not sure where the best place to ask this is so I'll try here.
    Jack> How can an application (like the cyrus imap/pop server) validate a
    Jack> userid/password from a /etc/shadow file using PAM. The server does not
    Jack> run as root and it looks like only root programs can read and check
    Jack> the /etc/shadow file.

    Jack> There is some file called /sbin/pwdb_chkpwd that looks like it is
    Jack> supposed to help/do this, but I've got no idea how to call it.

Here's how I understand it:

The service in question is configured (via its file in /etc/pam.d/ or
its entry in /etc/pam.conf) to use pam_pwdb for authentication, such
as:

    auth       required     /lib/security/pam_pwdb.so shadow nullok

pam_pwdb checks to see if the password is stored in shadow form
(and/or md5), and decides whether it needs pwdb_chkpwd or not.  If so,
it runs it, and it gains, through its setuid bit, root privileges,
enough to verify the password and permit or deny the user based on
this.

It is entirely automatic, as far as I understand it.  Based on the
version of pam_pwdb and pwdb_chkpwd, it may support more than just
simple shadow passwords ... check with the documentation included with
it or check the version and look online for more information.

If all else fails, grab the source and see what's going on.  I
admittedly haven't done this, as I do have faith in the PAM crew.
(Sorry, I don't have the URL handy at this time.)

I have no idea as to cyrus' status with pam authentication.  If it
does include it, then it should not be a problem to have cyrus
authenticate against a shadow password scheme.

HTH

-bill

--


 
 
 

1. run a non-root user's program from a non-root user

Hi Folks,

Here is the problem.

I have user A and user B (non-root users)

I need for user A to initiate a job as user B. How can this be done?

As you know, I can do this as root. I can start a process from root as
another user in the system (cron jobs come to my mind!) Is there a way
to do this for non-root users? I believe I need to be able to do
something like  as user A
"su - B" without being prompted for password.

Appreciate suggestions in advance.

Pasha

BTW: I am using AIX 4.3.10

2. Programming questions

3. Shadow password files vs. non-shadowed passwords

4. Seagate ST21R RLL HD detection?

5. Password file problem for non-root users

6. Dynamic (DHCP) IP and DNS

7. passwd from non-root user without old password prompt

8. cmd to create a directory tree ?

9. Changing others passwords, as non-root user

10. Digital UNIX, C2 -> change root password as non-root

11. Non-root PAM authentication module available

12. RH8 - Problem w/non-root users starting root programs

13. Granting root access to defined non-root users...