bsd_auth(3) question

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

bsd_auth(3) question

Maxime Villard
Hi,
is there a wayto useauth_userokay()without setgid
to "auth" ?

When testing this code:

#include <stdlib.h>
#include <login_cap.h>
#include <bsd_auth.h>
#include <stdio.h>
#include <stdlib.h>

int main()
{
    printf("authentication ");

    char *user = strdup("me");
    char *pass = strdup("pass");

    if (!auth_userokay(user, NULL, "auth-mytest", pass))
        printf("failed\n");
    else
        printf("successful\n");
    return 0;
}

I get:

$ ./test            
test: invalid script: /usr/libexec/auth/login_passwd
authentication failed

So it seems that I have to setgid to "auth", and my binary
must be setuid.

Am I wrong ? Is there a way of authenticatingwithout being
setuid ?

Thanks

Reply | Threaded
Open this post in threaded view
|

Re: bsd_auth(3) question

William Ahern-2
On Sat, Nov 10, 2012 at 09:47:58PM +0100, rustyBSD wrote:
> Hi,
> is there a wayto useauth_userokay()without setgid
> to "auth" ?
>
<snip>
> So it seems that I have to setgid to "auth", and my binary
> must be setuid.
>
> Am I wrong ? Is there a way of authenticatingwithout being
> setuid ?

There's also setgid (chmod g+s).

You can't check a password without having the proper privilege. Otherwise
anybody on the system could run dictionary attacks.