pam_unix opens /etc/shadow as regular user
Jonathan DeSena
jonathan.desena at jhuapl.edu
Fri Jan 27 18:46:56 UTC 2006
On Fri, 27 Jan 2006 11:30:32 -0600, Les Mikesell wrote:
> On Fri, 2006-01-27 at 10:30, Jonathan DeSena wrote:
>> On Fri, 27 Jan 2006 16:17:46 +0100, Thorsten Kukuk wrote:
>> > You don't need super-user rights, you only need the correct rights.
>> > And this depends on which mode and owner/group /etc/shadow has. With
>> > super-user rights you can of course always read it.
>>
>> Okay, now I understand what you meant. It is true that the permissions
>> shadow file COULD be anything, however, it is traditional (I expected
>> standard) that it be owned by root:root with permissions 0400. If not,
>> it loses the whole point of the shadow file -- hiding passwords from
>> regular users. Should not pam_unix EXPECT traditional permissions on
>> /etc/shadow, given that it is the "standard Unix authentication module"?
>
> The common exception is where you want web authentication to use pam and
> one of the methods you want to include is the system password file. In
> this case you have to give httpd read access, probably by making shadow
> group apache and group readable. If you are proposing a change that makes
> this unnecessary, then root:root might be reasonable.
You give httpd read access IF you do NOT have a setuid helper binary to do
the read. This is why the setuid helper binary method exists -- to allow
non-root processes that otherwise could not access the shadow file to
authenticate shadow passwords using pam_unix.
In your example, if httpd can be configured to use PAM, then by using
pam_unix, the httpd need not have read access to /etc/shadow. I would
configure the shadow password traditionally as above, configure httpd
pam service to include pam_unix for authentication, and leave httpd binary
with perms 0755.
By the way, I have only set up httpd to do htpasswd type authentication, so I
am not sure if the configuration I describe is possible. I am not sure I would
use local unix passwords to authenticate web servers, even if it were possible.
Jon
More information about the Pam-list
mailing list