Freeradius-Users Digest, Vol 124, Issue 3

[Stefan Paetow]

> Well, I have just tried (as root, in CentOS) to edit /etc/group by
> hand, and I had no problems. Is it not the case that if the RADIUS PAM
> module runs as root, it will also be able to do so?

You are an administrator. You are a human. You have reasoning. A PAM module running as root should be jailed (through SELinux or other constraints). A PAM module is not human. A PAM module does not have reasoning.

Just because *you* can, does not mean a program running as root should. In fact, a program running as root should *never* *ever* write to configuration files (such as /etc/group) unless a) they are the application's own configuration files, or b) prompted to through a configuration application by the administrator.

Seriously... DO. NOT. DO. WHAT. YOU. INTEND. TO. DO. It's bad (terrible) practice.

Stefan Paetow
Moonshot Industry & Research Liaison Coordinator

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp at jabber.dev.ja.net
skype: stefan.paetow.janet
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150805/e50fe235/attachment.sig>