Kbase P72583: AdminServer user authentication on UNIX
| Autor |
Progress Software Corporation - Progress |
| Acesso |
Público |
| Publicação |
10/02/2010 |
|
Status: Verified
GOAL:
AdminServer user authentication on UNIX
GOAL:
How does the AdminServer authenticate users?
FACT(s) (Environment):
UNIX
Progress 9.x
OpenEdge 10.x
FIX:
The AdminServer will authenticate the user-id of the account that is used to start it. It operates two ways:
1) If a specific user-id is not specified the AdminServer will do a getuid() of the current account user and validate that the account exists.
2) If a specific user-id [ and password ] is specified the AdminServer will first authenticate that the account exists and the password is correct.
For both operations it must use the UNIX system's passwd files to some extent. It may be either NIS passwd or /etc/passwd, or both depending upon the configuration. If only account validation is performed, we only look up that the account exists and that does not use the shadow password file. If both account validation and password validation is performed, then we use both the passwd files and the shadow password files if the system is configured to use them. Many of these variables are controlled by the UNIX system administrator.
With local /etc/password files and shadow password files, the operating system will protect them and require a process to have "root" privileges to access them and to validate passwords. Using the NIS passwd system generally does not require "root" privileges to access accounts and validate passwords. Again, the level of security is up to the UNIX system administrator.
The general rule is: The AdminServer must be started with an account that has privileges consistent with validating account ids and passwords on that particular UNIX system's configuration. To know the whether you require "root" privileges or not, you may have to consult the UNIX system administrator.