pam_unix opens /etc/shadow as regular user
Jonathan DeSena
jonathan.desena at jhuapl.edu
Fri Jan 27 19:26:27 UTC 2006
> On Fri, 27 Jan 2006 11:30:32 -0600, Les Mikesell wrote:
>> The common exception is where you want web authentication to use pam and
>> one of the methods you want to include is the system password file. In
>> this case you have to give httpd read access, probably by making shadow
>> group apache and group readable. If you are proposing a change that
>> makes this unnecessary, then root:root might be reasonable.
>
> You give httpd read access IF you do NOT have a setuid helper binary to do
> the read. This is why the setuid helper binary method exists -- to allow
> non-root processes that otherwise could not access the shadow file to
> authenticate shadow passwords using pam_unix.
>
> In your example, if httpd can be configured to use PAM, then by using
> pam_unix, the httpd need not have read access to /etc/shadow. I would
> configure the shadow password traditionally as above, configure httpd pam
> service to include pam_unix for authentication, and leave httpd binary
> with perms 0755.
>
> By the way, I have only set up httpd to do htpasswd type authentication,
> so I am not sure if the configuration I describe is possible. I am not
> sure I would use local unix passwords to authenticate web servers, even if
> it were possible.
I see now that mod_auth_pam will allow apache to use PAM. The web page
suggests configuring as Les describes: making shadow group apache and
group readable. However, using pam_unix with helper setuid binary
obviates this and allows configuration as I described (which seems nicer
to me, except for the audit log entries that will be generated with
current pam_unix).
Jon
More information about the Pam-list
mailing list