mod_auth_pam vs sshd login
Jason Clifford
jason at ukpost.com
Mon Oct 4 18:39:24 UTC 2004
On Mon, 4 Oct 2004, Kenneth Porter wrote:
> > The usual way is to add the user the apache process runs as to a special
> > group which you give permission to read the file.
>
> So, for instance, create the group shadow, set the owner of /etc/shadow to
> root.shadow, and mode to 740.
Yes.
> > Do remember to ensure that only those sites that *must* have access to
> > the file are run in the apache process running as that user.
>
> I'm not sure how I'd set a per-site run-as-user. Probably not immediately
> critical as I'm not running multiple sites on this server right now, but it
> would be useful to know how to set that up if needed. Do you have a
> suggestion for a Google expression for that?
Run the sites in different apache processes so that only those that need
access to the shadow file are in the process that has it. All the others
are in another one.
You do need 2 IPs for this (you could do it with a single IP if you use a
proxy in front of the $n servers running the different sites but that's
an apache matter rather than a pam one ;) )
Jason Clifford
--
UKFSN.ORG Finance Free Software while you surf the 'net
http://www.ukfsn.org/ ADSL Broadband from just £21.50 / month
More information about the Pam-list
mailing list