>Do not, EVER, do that. The moment you do, checkpassword becomes a /bin/su
>replacement without any logging or limiting.
Don't you think that this histeric reaction is a bit too far?
checkpassword is certainly safer suid program that most of suids in your
system.
And another one:
>Don't do that! You have just created a target for a dictionary attack;
>suid /bin/checkpassword is /bin/su without bad attempts logging
>(and with somewhat unusual interface).
>If you definitely need to run /bin/checkpassword as root, it's
>healthier to run tcpserver on port 25 as root (not as qmaild) and
>drop root after checking name and password. It's still far from being
>ideal, though.
>On a PAMified system, you should be able to get away with it
>without running code as root (root is neccessary to install the PAM
>script in /etc/pam.d only).
On PAMified system you can still use it as dictionary cracker :)
all in all, on a non-shell system (like most ISP's mail servers) where only
admins have shell access. making checkpassword suid is nothing bad.
CERTAINLY not as bad as you portrait it.
Kris
