tor 2006-04-27 klockan 23:12 -0300 skrev Giancarlo Razzolini:
> I took a quick look on the configure tests that squid make, and didn't
> saw it looking for shadow.h or the shadow suite (correct me if I'm
> wrong). So i think that a simple test should suffice. And perhaps a
> variable like HAVE_SHADOW_H could be added to the config.h. I didn't
> knew that some systems have the 2 kind of authentication, but if you say
> so, i believe. Nowadays, the majority of systems have some kind of
> shadowing.
You only need to add the header and function to the configure.in tests,
the defines gets automatically defined from there..
> passwords. I can write a new helper using the getspnam function or can
> modify the getpwnam helper to do both the authentications. I believe
> that the second is the most desirable, because on the systems you
> mentioned (that have both methods), only some users would authenticate
> (ie. the ones that the helper you are using can authenticate).
I am fine with either way. No strong opinion in either direction.
> Anyway, the helper should be run with the suid root bit set, or could
> use some kind of privilege separation. The plugin i wrote does this. So
> even if the OpenVPN process drop it's privileges and is run in a chroot,
> users still authenticate, because my plugin does a fork() and leave a
> background process running as root. And a new configure test should be
> made to look for the shadow suite.
With Squid we do not have such luxury of being able to fork of before.
The helpers always gets started after chrooting and dropping privileges,
and helpers needing special privileges needs to be privileged to restore
them.. (i.e. set-user-id or similar).
Regards
Henrik
This archive was generated by hypermail pre-2.1.9 : Mon May 01 2006 - 12:00:04 MDT