From: Mike Beattie (no email)
Date: Wed Jul 07 2004 - 15:45:22 EDT
On Wed, Jul 07, 2004 at 10:47:39AM -0700, Wil Cooley wrote:
> No, saslauthd runs as root--it's role is to provide authentication
> services, often for PAM or shadow authentication, which requires root
> access. It's a much better solution than creating a 'shadow' group and
> making /etc/shadow readable by it and putting cyrus into that group.
And I hate to point out, but then, if a malicious user manages to find a
flaw in cyrus they could hypothetically use that flaw to get a copy of
/etc/shadow. (If I'm mistaken, *please* correct me)
Only the second worst thing after actually getting a root shell, IMO.
Mike.
-- Mike Beattie <> UNIX Systems Engineer, ITS Ph: +64 3 479 8597 Fax: +64 3 479 5080 Cell: +64 27 44 80386 * Opinions expressed are my own, not those of the University of Otago * --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
|
|
|