[opensuse] Leap: kcheckpass no longer suid
Hi, We recently update our clients from 13.2 to 42.2. And kcheckpass seems to have no longer set the suid bit (starting from 42.1 I guess). Is there a reason why? I guess security? But without suid bit set screensaver unlocks only if /etc/ldap.conf is world readable. Otherwise I get in KDE kcheckpass[14251]: pam_ldap: missing file "/etc/ldap.conf" However, we store our ldap passwd in /etc/ldap.conf for pam_ldap authentication. Setting /etc/ldap.conf world readable allows local users to see the bind password, which is not at all ideal. What is less secure? suid for kcheckpass or readable bind credentials? Or have I missed something? Thanks for any hint on this topic. Cheers, Urs -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11.01.2017 21:45, Urs Beyerle wrote:
However, we store our ldap passwd in /etc/ldap.conf for pam_ldap authentication. Setting /etc/ldap.conf world readable allows local users to see the bind password, which is not at all ideal.
Use sssd instead of pam_ldap. It had numerous advantages: - entries caching - easier multi-domain setup - hides bind password :-) google for sssd and ldap
On 01/11/2017 11:26 PM, Florian Gleixner wrote:
Use sssd instead of pam_ldap. It had numerous advantages: - entries caching - easier multi-domain setup - hides bind password :-)
google for sssd and ldap
many thanks. Will give it a try. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (2)
-
Florian Gleixner -
Urs Beyerle