pam_unix opens /etc/shadow as regular user

Steve Langasek vorlon at debian.org
Fri Jan 27 22:22:56 UTC 2006 

On Fri, Jan 27, 2006 at 02:26:27PM -0500, Jonathan DeSena wrote:
> > On Fri, 27 Jan 2006 11:30:32 -0600, Les Mikesell wrote:
> >> The common exception is where you want web authentication to use pam and
> >> one of the methods you want to include is the system password file.  In
> >> this case you have to give httpd read access, probably by making shadow
> >> group apache and group readable.  If you are proposing a change that
> >> makes this unnecessary, then root:root might be reasonable.

> > You give httpd read access IF you do NOT have a setuid helper binary to do
> > the read. This is why the setuid helper binary method exists -- to allow
> > non-root processes that otherwise could not access the shadow file to
> > authenticate shadow passwords using pam_unix.

> > In your example, if httpd can be configured to use PAM, then by using
> > pam_unix, the httpd need not have read access to /etc/shadow. I would
> > configure the shadow password traditionally as above, configure httpd pam
> > service to include pam_unix for authentication, and leave httpd binary
> > with perms 0755.

> > By the way, I have only set up httpd to do htpasswd type authentication,
> > so I am not sure if the configuration I describe is possible. I am not
> > sure I would use local unix passwords to authenticate web servers, even if
> > it were possible.

> I see now that mod_auth_pam will allow apache to use PAM. The web page
> suggests configuring as Les describes: making shadow group apache and
> group readable. However, using pam_unix with helper setuid binary
> obviates this and allows configuration as I described

Except it does not, because the stock unix_chkpwd helper as distributed with
Linux-PAM does not allow you to check passwords for any user except the one
matching the current uid.

So your patch is still incorrect.  Either you need a better audit policy, or
you'll have to patch Linux-PAM locally; I recommend the former.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon at debian.org                                   http://www.debian.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/pam-list/attachments/20060127/6b6ab8fb/attachment.sig>

More information about the Pam-list mailing list