On Mon, Jul 10, 2006, Chris Lightfoot wrote: >>> Hang on - it's not supposed to, is it? The whole point of /etc/shadow >>> is to hide the crypted tokens away. Then a mechanism is provided >>> (PAM) for checking passwords without having to expose the shadow file. >> PAM works using shared libraries. It doesn't provide any route around >> Unix's usual security boundaries. > There's typically a setuid helper which pam_unix calls, > isn't there? Usually called unix_chkpwd or pwdb_chkpwd. > It's invoked when pam_unix fails to obtain the password > hash itself with getsp*. However, it can only be used to > test the password of the user calling the program (exim in > this case) and is therefore no use for this application. I > think the idea is to be able to implement something like > xlock without any privileged code outside PAM.
Try <http://tehran.lain.pl/x/pam.c>. As the comment states, the source is stolen from saslauthd.
pgpUItX2pEIR7.pgp
Description: PGP signature
-- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
