[prev in list] [next in list] [prev in thread] [next in thread] 

List:       strongswan-users
Subject:    Re: [strongSwan] xauth-pam with unprivileged user
From:       Martin Willi <martin () strongswan ! org>
Date:       2013-02-20 12:40:38
Message-ID: 1361364038.2859.25.camel () martin
[Download RAW message or body]

Hi Claude,

> I'm using the xauth-pam module and strongswan runs as unprivileged user
> 'vpn'. [...] charon is not permitted to read /etc/shadow, even when
> adding user 'vpn' to the group 'shadow' which is allowed to read the
> file.

I've tried to reproduce that, unfortunately without success. It seems
that my PAM uses the setuid unix_chkpwd helper to verify passwords, and
this works with any privileges.

> we wrote a small patch which fixed the issue for us.

Thanks for the patch, looks good. I think it would be simpler to use the
initgroups(3) call, though. Please let me know if the patch at [1] works
for you, I'll then push it to master.

Best regards
Martin

[1]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=934b49e8


_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
[prev in list] [next in list] [prev in thread] [next in thread]