Q0029

Nigel Metheringham edited this page Nov 29, 2012 · 2 revisions
Clone this wiki locally

Q0029

Question

I can't seem to figure out why PAM support doesn't work correctly.

Answer

There is a problem using PAM with shadow passwords when the calling program is not running as root. Exim is normally running as the Exim user when authenticating a remote host.

  1. One solution can be found at http://www.e-admin.de/pam_exim/.

  2. PAM 0.72 allows authorization as non-root, using setuid helper programs. Furthermore, in /etc/pam.d/exim you can explicitly specify that this authorization (using setuid helpers) is only permitted for certain users and groups.

  3. Another approach is to authenticate using the saslauthd daemon, which has its own interface to PAM. The daemon runs as root, so there is no access problem.

  4. One suggested solution was to set

exim_group=shadow

in the configuration file, or the equivalent at build time. This is very strongly discouraged. Do not do it! It works, but it's a potential security exposure. Exim is intended to run as a non-privileged user for much of the time. This setting gives it have privileged access to crucial security information all of the time, simply for the purposes of authentication (which Exim will only spend a tiny part of its total time doing). The result is that a successful compromise of the Exim system can give someone direct access to the system passwords.