[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pamifying a non-root apache?



 
> Chris Dent writes:
>>So that came along and I got all excited about being able to run
>>apache with mod_auth_pam but then remember/realized that pwdb_chkpwd
>>checks the password of the real UID of the process. A very good thing
>>for almost every case but in this one a bit of a bummer.
>>
>>So my question is: Given a situation where one really does want to do
>>shadow based authentication from processes not running as root nor as
>>the user being authenticated, and use PAM, what does one do?
> 
> It seems to me that it would be appropriate to have a configuration
> file read by mod_auth_pam that gives the names of users (besides root,
> of course) who are allowed to query about passwords of other users.
> By default, no one would be able to do so, but this would give sysadmins
> in situtations like this the ability to set their own level of security.
> (Isn't that what PAM is about -- putting policy decisions in the hands
> of sysadmins?)
> 
> michaelkjohnson

	As a sysadmin (and a consultant who trains sysadmins) I have
	to say: 

		PLEASE! Don't create another conf. file.

	... I'd like to see this done via the existing groups
	mechanism and a command parameter to the module (in the 
	pam.conf file).  Thus I could say something like:

		pam_unix.so	authgroup=passwd

	... and then just create a "passwd" group in /etc/groups
	and put the authorized, authenticating users (that is:
	the users that are authorized to authenticate for others)
	in that group.

	This would allow us to set 'crack' and this Apache module
	as SGID "passwd" -- which allows them to execute the 
	authentication without given them any file access to any
	of the data files involved.

	Is that doable?

--
Jim Dennis  (800) 938-4078		consulting@starshine.org
Proprietor, Starshine Technical Services:  http://www.starshine.org
        PGP  1024/2ABF03B1 Jim Dennis <jim@starshine.org>
        Key fingerprint =  2524E3FEF0922A84  A27BDEDB38EBB95A 




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []