[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pamifying a non-root apache?

Chris Dent writes:
>So that came along and I got all excited about being able to run
>apache with mod_auth_pam but then remember/realized that pwdb_chkpwd
>checks the password of the real UID of the process. A very good thing
>for almost every case but in this one a bit of a bummer.
>So my question is: Given a situation where one really does want to do
>shadow based authentication from processes not running as root nor as
>the user being authenticated, and use PAM, what does one do?

It seems to me that it would be appropriate to have a configuration
file read by mod_auth_pam that gives the names of users (besides root,
of course) who are allowed to query about passwords of other users.
By default, no one would be able to do so, but this would give sysadmins
in situtations like this the ability to set their own level of security.
(Isn't that what PAM is about -- putting policy decisions in the hands
of sysadmins?)


"Magazines all too frequently lead to books and should be regarded by the
 prudent as the heavy petting of literature."            -- Fran Lebowitz

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []