[strongSwan] xauth-pam with unprivileged user
Martin Willi
martin at strongswan.org
Wed Feb 20 13:40:38 CET 2013
Hi Claude,
> I'm using the xauth-pam module and strongswan runs as unprivileged user
> 'vpn'. [...] charon is not permitted to read /etc/shadow, even when
> adding user 'vpn' to the group 'shadow' which is allowed to read the
> file.
I've tried to reproduce that, unfortunately without success. It seems
that my PAM uses the setuid unix_chkpwd helper to verify passwords, and
this works with any privileges.
> we wrote a small patch which fixed the issue for us.
Thanks for the patch, looks good. I think it would be simpler to use the
initgroups(3) call, though. Please let me know if the patch at [1] works
for you, I'll then push it to master.
Best regards
Martin
[1]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=934b49e8
More information about the Users
mailing list