[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_unix opens /etc/shadow as regular user



> On Fri, 27 Jan 2006 11:30:32 -0600, Les Mikesell wrote:
>> The common exception is where you want web authentication to use pam and
>> one of the methods you want to include is the system password file.  In
>> this case you have to give httpd read access, probably by making shadow
>> group apache and group readable.  If you are proposing a change that
>> makes this unnecessary, then root:root might be reasonable.
> 
> You give httpd read access IF you do NOT have a setuid helper binary to do
> the read. This is why the setuid helper binary method exists -- to allow
> non-root processes that otherwise could not access the shadow file to
> authenticate shadow passwords using pam_unix.
> 
> In your example, if httpd can be configured to use PAM, then by using
> pam_unix, the httpd need not have read access to /etc/shadow. I would
> configure the shadow password traditionally as above, configure httpd pam
> service to include pam_unix for authentication, and leave httpd binary
> with perms 0755.
> 
> By the way, I have only set up httpd to do htpasswd type authentication,
> so I am not sure if the configuration I describe is possible. I am not
> sure I would use local unix passwords to authenticate web servers, even if
> it were possible.

I see now that mod_auth_pam will allow apache to use PAM. The web page
suggests configuring as Les describes: making shadow group apache and
group readable. However, using pam_unix with helper setuid binary
obviates this and allows configuration as I described (which seems nicer
to me, except for the audit log entries that will be generated with
current pam_unix).

Jon


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]