Re: auth_may_set_cap


From: Amon Ott <ao@rsbac.org>
Subject: Re: auth_may_set_cap
Date: Mon, 11 Sep 2000 10:14:31 +0200

Next Article (by Subject): bind() Jörgen Sigvardsson
Previous Article (by Subject): Re: AUTH problems ao@morpork.shnet.org (A. Ott)
Articles sorted by: [Date] [Author] [Subject]


(FD_raG, please use Subjects)

On Fre, 08 Sep 2000 #FD_raG wrote:
> HI :) 
> What is "auth_may_set_cap" does it mean ???

A program/process with this flag may set process capabilities for other
processes. It is meant for secure authentification:

- /bin/login process reads username and password
- /bin/login process asks a specially secured authentication daemon (with
auth_may_set_cap) to check the password and set a setuid cap for it
- auth daemon sets a cap for /bin/login process
- /bin/login process calls setuid and starts the user shell

This was the original AUTH idea and led to its name. Please note that the auth
daemon can run under any uid, which should not be the secoff uid.

This auth scheme could easily be added with a pam module and an auth daemon,
which unfortunately have never been written.

Amon.
-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Subject): bind() Jörgen Sigvardsson
Previous Article (by Subject): Re: AUTH problems ao@morpork.shnet.org (A. Ott)
Articles sorted by: [Date] [Author] [Subject]


Go to Compuniverse LWGate Home Page.