[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_unix opens /etc/shadow as regular user



On Fri, 27 Jan 2006 11:30:32 -0600, Les Mikesell wrote:

> On Fri, 2006-01-27 at 10:30, Jonathan DeSena wrote:
>> On Fri, 27 Jan 2006 16:17:46 +0100, Thorsten Kukuk wrote:
>> > You don't need super-user rights, you only need the correct rights.
>> > And this depends on which mode and owner/group /etc/shadow has. With
>> > super-user rights you can of course always read it.
>> 
>> Okay, now I understand what you meant. It is true that the permissions
>> shadow file COULD be anything, however, it is traditional (I expected
>> standard) that it be owned by root:root with permissions 0400. If not,
>> it loses the whole point of the shadow file -- hiding passwords from
>> regular users. Should not pam_unix EXPECT traditional permissions on
>> /etc/shadow, given that it is the "standard Unix authentication module"?
> 
> The common exception is where you want web authentication to use pam and
> one of the methods you want to include is the system password file.  In
> this case you have to give httpd read access, probably by making shadow
> group apache and group readable.  If you are proposing a change that makes
> this unnecessary, then root:root might be reasonable.

You give httpd read access IF you do NOT have a setuid helper binary to do
the read. This is why the setuid helper binary method exists -- to allow
non-root processes that otherwise could not access the shadow file to
authenticate shadow passwords using pam_unix.

In your example, if httpd can be configured to use PAM, then by using
pam_unix, the httpd need not have read access to /etc/shadow. I would
configure the shadow password traditionally as above, configure httpd
pam service to include pam_unix for authentication, and leave httpd binary
with perms 0755.

By the way, I have only set up httpd to do htpasswd type authentication, so I
am not sure if the configuration I describe is possible. I am not sure I would
use local unix passwords to authenticate web servers, even if it were possible.

Jon


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]