On 2008-08-28 08:48, Jaco van der Schyff wrote: > What are my options to auth against /etc/shadow using PAM without giving > exim too much priviledges? > > I currently have two options: chgrp exim /etc/shadow or write an > external authenticator (which is suid root) that returns a > true/false which I can evaluate in exim. > > Any other ideas?
I configured this today using pwauth. Pwauth (http://unixpapa.com/pwauth/) is an external authenticator as you mention as the second option. It is written with Apache in mind, because Apache suffers from the same problem: need to run as root to authenticate to /etc/shadow. Download it, configure it, compile it. I put the pwauth (suid root) in /usr/loca/bin/. The authentication driver configuration for me was: plain_server: driver = plaintext public_name = PLAIN server_condition = ${run{/bin/bash -c "echo -e '$auth2\n$auth3' | /usr/local/bin/pwauth"}{1}{0}} server_set_id = $auth2 server_prompts = : .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} .endif As I run Debian 5.0/Lenny, I added this to /etc/exim4/exim4.conf.template. Don't forget to add the UID of the exim user to SERVER_UIDS in config.h of pwauth's source files. It's authentication to /etc/shadow the easy and secure way! With kind regards, Jurrie -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
