[squid-users] Re:Help!setting up squid to authenticate through accounts passwords

From: Fred Kamwaza <fred@dont-contact.us>
Date: Fri, 25 May 2001 08:47:35 +0200 (CAT)

I just want to thank you very much for your time and effort to give me all
these tips. I have tried what you suggested here and its working perfectly
well. I now simply have to weigh the situation again in the light of the
security hole I will be creating.

Thanks once again,

Fred.

> Well, pam_auth is an external program invoked by squid where
>squid is started as uid nobody (or what u have defined for your
> cache_effective_user). As a result, pam_auth is started as the
>same uid as squid (type ps -axu | grep pam_auth or ps -ef | grep
> pam_auth)
> pam_auth is looking into your /etc/passwd and /etc/shadow (or
> /etc/master.passwd for bsd-ish system??) and check for the login
> and password pair. you need root for viewing shadow file. if not, you
> will get "ERR" each time verifying password.
> if you want to use pam_auth, here are some ways for you:
> (1)
> chown root /bin/pam_auth
> chmod u+s /bin/pam_auth
> or (2)
> chgrp root /etc/shadow
> chmod g+r /etc/shadow
> chgrp root /bin/pam_auth
> chmod g+s /bin/pam_auth
>
> i personally feel pam_auth is a dangerous program to run if you are
> running a multi-user system. unless you are running a dedicated-
> cache system, or else pam_auth might get yourself into trouble.
> this may allow users to do brute-force attack on password
> guessing or password sniffing on the port pam_auth listenning. and
> unknown setuid buffer overflow for pam_auth if exists. do this at your
> own risk. good luck!!
>
>>From Joe/SIT/MIS

-- 
Fred Kamwaza
University of Malawi
The Polytechnic
P/B 303, Chichiri, Blantyre 3
-------------------------------------
Tel: (265) 670 411 (o); (265) 842 891 (m)
Fax: (265) 670 578
email: fred@sdnp.org.mw
URL: http://poly.sdnp.org.mw
Received on Fri May 25 2001 - 00:37:58 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:00:17 MST