Hi, On 02/25/2011 11:16 PM, Martin Koegler wrote: > On Fri, Feb 25, 2011 at 09:52:48AM +0100, Sebastiaan Breedveld wrote: >> Unfortunately, the radius configuration file contains a sectret >> string to authenticate against the Radius server, so it should not >> be world readable. >> >> I was actually under the impression that PAM is a query-service run >> as root: how else can a user be capable of obtaining root >> privellages by using su? Apparantly it works differently. >> >> Anyway, is there any way to make a construction to authenticate >> against a module with root-only readable configuration file as a >> normal user? (different than inetd/xdm, which does not have the >> features I need for this group of users). > First, I would not set Xvnc setuid root - Xvnc is not written for such > case. I would not be surprised, if such a setup can be used by a user > to gain elevated privileges. > > If you really need such a setup, I would create a new radiusauth > group, make the conf files group readable [maybe even with setfacl, if > the normal group can not be changed] and make Xvnc setgid for this > group [It can be possible, that you need to add calls to setregid to > swap the gids]. In this setup, a user at most only get a copy of the > radius conf files. > > A better solution would be to look for an pam module, which does not > require extended privileges. Search, if there are pam modules > authenticating against other services, which use your radius server - > or pam modules which pass the autentification to a root owned daemon > (sssd?). > > Regards, > Martin Kögler It seems that the sssd is the only correct approach. I have not heard of this project before but looks interesting. I will look into it later.
Thanks! Sebastiaan ------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev _______________________________________________ Tigervnc-devel mailing list Tigervnc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tigervnc-devel
