Re: Getpwnam helper fix from Giancarlo Razzolini on 2006-04-28 (squid-dev)

From: Giancarlo Razzolini <linux-fan@dont-contact.us>
Date: Fri, 28 Apr 2006 10:28:00 -0300

Henrik Nordstrom wrote:
> tor 2006-04-27 klockan 23:12 -0300 skrev Giancarlo Razzolini:
>
>> I took a quick look on the configure tests that squid make, and didn't
>> saw it looking for shadow.h or the shadow suite (correct me if I'm
>> wrong). So i think that a simple test should suffice. And perhaps a
>> variable like HAVE_SHADOW_H could be added to the config.h. I didn't
>> knew that some systems have the 2 kind of authentication, but if you say
>> so, i believe. Nowadays, the majority of systems have some kind of
>> shadowing.
>
> You only need to add the header and function to the configure.in tests,
> the defines gets automatically defined from there..
>
>> passwords. I can write a new helper using the getspnam function or can
>> modify the getpwnam helper to do both the authentications. I believe
>> that the second is the most desirable, because on the systems you
>> mentioned (that have both methods), only some users would authenticate
>> (ie. the ones that the helper you are using can authenticate).
>
> I am fine with either way. No strong opinion in either direction.
>
>> Anyway, the helper should be run with the suid root bit set, or could
>> use some kind of privilege separation. The plugin i wrote does this. So
>> even if the OpenVPN process drop it's privileges and is run in a chroot,
>> users still authenticate, because my plugin does a fork() and leave a
>> background process running as root. And a new configure test should be
>> made to look for the shadow suite.
>
> With Squid we do not have such luxury of being able to fork of before.
> The helpers always gets started after chrooting and dropping privileges,
> and helpers needing special privileges needs to be privileged to restore
> them.. (i.e. set-user-id or similar).
>
> Regards
> Henrik

Right. I'll write the patch to the getpwnam.c and configure.in files.
This helper have some kind of documentation? If not, I'm willing to
write it too. I get in contact when i have some code.

My regards,

-- 
Giancarlo Razzolini
Linux User 172199
Moleque Sem Conteudo Numero #002
Slackware Current
OpenBSD Stable
Snike Tecnologia em Informática
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

application/pgp-signature attachment: OpenPGP digital signature

Received on Fri Apr 28 2006 - 09:56:43 MDT

This archive was generated by hypermail pre-2.1.9 : Mon May 01 2006 - 12:00:04 MDT