Well, I have just tried (as root, in CentOS) to edit /etc/group by hand, and I had no problems. Is it not the case that if the RADIUS PAM module runs as root, it will also be able to do so?
You are an administrator. You are a human. You have reasoning. A PAM module running as root should be jailed (through SELinux or other constraints). A PAM module is not human. A PAM module does not have reasoning. Just because *you* can, does not mean a program running as root should. In fact, a program running as root should *never* *ever* write to configuration files (such as /etc/group) unless a) they are the application's own configuration files, or b) prompted to through a configuration application by the administrator. Seriously... DO. NOT. DO. WHAT. YOU. INTEND. TO. DO. It's bad (terrible) practice. Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.