On Wed, 27 Feb 2002 06:23:58 EST, Michael Mitton said: > Even with PAM you need to be root. I had this trouble myself and ended up > writing a helper script that ran suid as root and passed login info via > pipes. If you are not root, it seems to only auth the user your are > running your script as. Very true - but on the *other* hand - under what conditions do you *want* to be able to authenticate as some other user? That's a big security hole. 1) Unless you're very careful, the progam can then be used as a password guesser for another userid. You can even automate it using XTest or similar. 2) Since you're still running as yourself, authenticating as somebody else doesn't do squat for you - you only have your own access permissions. You *could* invoke or contact something else - but *that* something should be doing its *own* authentication. For instance, having your program shout down a named pipe "Yeah, it's really the other guy" is broken security wise - the program at the other end of the pipe needs to verify *for itself* that whatever is at the sending end is who it claims to be. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
Attachment:
pgpYWqucPv7ar.pgp
Description: PGP signature