[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

mod_auth_pam configuration using supplementary groups

I have been playing with trying to get mod_auth_pam to work on my apache 
1.3 install. The pam setup is standard for Redhat 7.3; that is:

[]# cat /etc/pam.d/system-auth
auth     required   /lib/security/pam_env.so
auth     sufficient /lib/security/pam_unix.so likeauth nullok
auth     required   /lib/security/pam_deny.so
account  required   /lib/security/pam_unix.so
password required   /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required   /lib/security/pam_deny.so
session  required   /lib/security/pam_limits.so
session  required   /lib/security/pam_unix.so

[]# cat /etc/pam.d/httpd
auth    required        /lib/security/pam_stack.so service=system-auth
account required        /lib/security/pam_stack.so service=system-auth

The section in my apache config that I am using to test is:

<Location /protected/>
  AllowOverride None

    AuthName "Dav"
    AuthType Basic
    require group www

I am having a problem though in that when the required group is a users 
primary group then authentication succeeds, but when it is a supplementary 
group it doesn't.

The authentication itself isn't failing because I put the debug option on 
the pam_unix for auth and it only complains when I put in a bad password 
either way. I read in the changelog that there was a patch to support 
supplemental groups, but I can't find a call to getgroups in the auth 
function. (I haven't written C in about 4 years, so I am a little rusty.) =)

I was wondering if anyone here knew the status of this? I am wanting to 
get this worked out because mod_dav requires all files to be writable by 
the webserver process and having pam will help with getting at least a 
modicum of security in place.

Will Holcomb

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []