pam_unix opens /etc/shadow as regular user

[Jonathan DeSena]

On Fri, 27 Jan 2006 14:26:27 -0500, Jonathan DeSena wrote:

>> On Fri, 27 Jan 2006 11:30:32 -0600, Les Mikesell wrote:
>>> The common exception is where you want web authentication to use pam
>>> and one of the methods you want to include is the system password file.
>>>  In this case you have to give httpd read access, probably by making
>>> shadow group apache and group readable.  If you are proposing a change
>>> that makes this unnecessary, then root:root might be reasonable.
>> 
>> You give httpd read access IF you do NOT have a setuid helper binary to
>> do the read. This is why the setuid helper binary method exists -- to
>> allow non-root processes that otherwise could not access the shadow file
>> to authenticate shadow passwords using pam_unix.
>> 
>> In your example, if httpd can be configured to use PAM, then by using
>> pam_unix, the httpd need not have read access to /etc/shadow. I would
>> configure the shadow password traditionally as above, configure httpd
>> pam service to include pam_unix for authentication, and leave httpd
>> binary with perms 0755.
>> 
>> By the way, I have only set up httpd to do htpasswd type authentication,
>> so I am not sure if the configuration I describe is possible. I am not
>> sure I would use local unix passwords to authenticate web servers, even
>> if it were possible.
> 
> I see now that mod_auth_pam will allow apache to use PAM. The web page
> suggests configuring as Les describes: making shadow group apache and
> group readable. However, using pam_unix with helper setuid binary obviates
> this and allows configuration as I described (which seems nicer to me,
> except for the audit log entries that will be generated with current
> pam_unix).

Sorry, I just realized this won't work. As others have mentioned, the
helper binary uses the user of the process running it, which for apache
would be the apache user (or httpd), not the username of the one to be
authenticated. Sorry for the confusion.

Jon