PAM modules violating PAM architecture?, e.g. mod_auth_pam
Jed Donnelley
jed at nersc.gov
Wed Oct 6 20:16:16 UTC 2004
At 12:24 PM 10/6/2004, Kenneth Porter wrote:
>--On Wednesday, October 06, 2004 11:44 AM -0700 Jed Donnelley
><jed at nersc.gov> wrote:
>
>>Specifically, rather than going through PAM modules as specified in the
>>pam.d configuration file (e.g. pam.d/httpd in the case I am focusing on),
>>mod_auth_pam punches through directly to base underlying Unix calls
>>including getpwnam and getgrnam (calls that don't lay on top of PAM) for
>>parts of its function.
>
>The mod_auth_external module was pointed out to me this morning as an
>alternative to mod_auth_pam:
>
><http://www.unixpapa.com/mod_auth_external.html>
>
>One would use this in combination with the pwauth helper binary:
>
><http://www.unixpapa.com/pwauth/>
>
>The latter does the actual PAM authentication, using pipes for IPC.
Thanks for the note Kenneth. Since the primary purpose of
mod_auth_external seems to be allowing authentication from /etc/shadow
without making /etc/shadow readable by the httpd user, e.g. from:
http://www.unixpapa.com/pwauth/
"Mod_auth_pam or mod_auth_system can ... authenticate <to local
/etc/files > only if you make the shadow password file readable to the http
server. This means that if there are any exploitable vulnerabilities in the
http server, then it may be possible for people to grab a copy of your
shadow password file. Worse, any CGI program on your system which is not
run under suExec or cgiwrap also has read access to your shadow password
database, and any bugs in these might also expose your entire password
database. When mod_auth_external and pwauth are used, neither the http
server nor any CGI programs are given access to the shadow database."
, its use seems to be somewhat orthogonal to my needs. I don't allow my
apache user to read /etc/shadow because I want my authentication to come
remotely from LDAP and not locally. I can see that for others that might
want password information to come more securely from /etc/shadow the
mod_auth_external (or mod_auth_shadow?) could be useful.
While in principle using mod_auth_external in lieu of mod_auth_pam might
help my problem if mod_auth_external does its authentication strictly
through PAM, in practice for me I think the cost of another suid program
and the configuration costs are likely not worth the work for my situation,
especially given that I have a working solution with the modifications that
I made to mod_auth_pam. Thanks for the thought though!
--Jed http://www.webstart.com/jed/
More information about the Pam-list
mailing list