Re: SASL and SHADOW
On Thu, 9 Aug 2001, Tyrone Vaughn wrote: > I did search the archives and the closest solution I can find is to > abandon checking the shadow file via PAM and run the program "pwcheck" > as the root user -- something I don't want to do. > > If you know the answer, would you please forward it on to me? Simple: you need read access to /etc/shadow to check passwords. So either you arrange /etc/shadow permissions so that the imapd process (which does not run as root) can read it, or you need some root process to read it instead and provide the answer (which is what pwcheck is designed for). As someone else already suggested, if you don't want to run pwcheck as root (the "yet another root daemon running on my system" syndrome), arrange permissions so that only the imapd process can read /etc/shadow. $ ls -al /etc/shadow -r--r-1 root cyrus 11736 Aug 6 15:20 /etc/shadow I've used both the pwcheck and the above solution successfully. .TM. -- / / / / / / Marco Colombo ___/ ___ / / Technical Manager / / / ESI s.r.l. _/ _/ _/ [EMAIL PROTECTED]
Re: SASL and SHADOW
PAM has no special privleges. PAM library call run with the same privilege level as the calling program. Therefore, not even the user 'cyrus' can authenticate without permissions set to 444. With that said and your obvious experience to the contrary, are you talking about cyrus authenticating from an email client package or the user cyrus authenticating via cyradm? If the latter, are you running with root privoleges when you authenticate as user cyrus? I'm just trying to figure out what might be different when you authenticate as cyrus as oppossed to any other user because basically, the cyrys login should fail too if /etc/shadow is root readable only. BTW, better than setting /etc/shadow to 444, set the permissions to 440 and make sure that imapd runs under a group that has group read privileges in /etc/shadow -- but make sure no other non-privileged program run as that group. I presume that imap was built to run as group "mail" which is pretty standard. One solution would be to rebuild imap to run as user "cyrus" and group "cyrus" and don't user group "cyrus" for anything else. Now change /etc/shadow to be owned by user "root" and group "cyrus", and set the perms to 440. This is less of a compromise. Other options include running the pwcheck daemon which avoids any changes to /etc/shadow. And probably the best choice is to use LDAP which, again, requires no special privileges. But yes, I am perplexed as to why user 'cyrus' can authenticate. You are obviously doing something different with user 'cyrus' although what that difference is may not be quite so obvious. -- Rob --On Thursday, August 09, 2001 08:40:58 AM -0500 Tyrone Vaughn <[EMAIL PROTECTED]> wrote: > I have done six implementations of Cyrus (2.0.11 - 2.0.16) and in each > one I have the same problem. No user, other than cyrus, can > authenticate unless I make the shadow file 444 verses it original 400. > > Pertinent information: > OS's -- RH 6.2, 7.0 & Mandrake 7.2, 8.0 > Cyrus -- 2.0.11 - 2.0.16 > Sasl -- 1.5.24 > > /etc/imapd.conf -- > sasl_pwcheck_method: PAM > > /usr/lib/sasl/Cyrus.conf -- > pwcheck_method: PAM > > Any ideas? Anyone seen this before? > > Thanks! > > Tyronee > > -- > "A wise man will make more opportunites than he finds." > > Francis Bacon _ _ _ _ __ _ _ _ _ /\_\_\_\_\/\_\ /\_\_\_\_\_\ /\/_/_/_/_/ /\/_/ \/_/_/_/_/_/ QUIDQUID LATINE DICTUM SIT, /\/_/__\/_/ __/\/_//\/_/ PROFUNDUM VIDITUR /\/_/_/_/_/ /\_\ /\/_//\/_/ /\/_/ \/_/ /\/_/_/\/_//\/_/ (Whatever is said in Latin \/_/ \/_/ \/_/_/_/_/ \/_/ appears profound) Rob Tanner UNIX and Networks Manager Linfield College, McMinnville OR (503) 434-2558 <[EMAIL PROTECTED]>
Re: SASL and SHADOW
I did search the archives and the closest solution I can find is to abandon checking the shadow file via PAM and run the program "pwcheck" as the root user -- something I don't want to do. If you know the answer, would you please forward it on to me? Thanks. Tyrone Amos Gouaux wrote: > > > On Thu, 09 Aug 2001 08:40:58 -0500, > > Tyrone Vaughn <[EMAIL PROTECTED]> (tv) writes: > > tv> I have done six implementations of Cyrus (2.0.11 - 2.0.16) and in each > tv> one I have the same problem. No user, other than cyrus, can > tv> authenticate unless I make the shadow file 444 verses it original 400. > > Check the list archives and search for pwcheck. This has been > hammered to death recently. > > http://asg.web.cmu.edu/archive/mailbox.php3?mailbox=archive.info-cyrus > > -- > Amos -- "A wise man will make more opportunites than he finds." Francis Bacon
Re: SASL and SHADOW
> On Thu, 09 Aug 2001 08:40:58 -0500, > Tyrone Vaughn <[EMAIL PROTECTED]> (tv) writes: tv> I have done six implementations of Cyrus (2.0.11 - 2.0.16) and in each tv> one I have the same problem. No user, other than cyrus, can tv> authenticate unless I make the shadow file 444 verses it original 400. Check the list archives and search for pwcheck. This has been hammered to death recently. http://asg.web.cmu.edu/archive/mailbox.php3?mailbox=archive.info-cyrus -- Amos
SASL and SHADOW
I have done six implementations of Cyrus (2.0.11 - 2.0.16) and in each one I have the same problem. No user, other than cyrus, can authenticate unless I make the shadow file 444 verses it original 400. Pertinent information: OS's -- RH 6.2, 7.0 & Mandrake 7.2, 8.0 Cyrus -- 2.0.11 - 2.0.16 Sasl -- 1.5.24 /etc/imapd.conf -- sasl_pwcheck_method: PAM /usr/lib/sasl/Cyrus.conf -- pwcheck_method: PAM Any ideas? Anyone seen this before? Thanks! Tyronee -- "A wise man will make more opportunites than he finds." Francis Bacon