pam_unix opens /etc/shadow as regular user

[Jonathan DeSena]

On Fri, 27 Jan 2006 14:22:56 -0800, Steve Langasek wrote:
>> I see now that mod_auth_pam will allow apache to use PAM. The web page
>> suggests configuring as Les describes: making shadow group apache and
>> group readable. However, using pam_unix with helper setuid binary
>> obviates this and allows configuration as I described
> 
> Except it does not, because the stock unix_chkpwd helper as distributed
> with Linux-PAM does not allow you to check passwords for any user except
> the one matching the current uid.

Yes, I corrected myself in a follow-up.

> So your patch is still incorrect.  Either you need a better audit policy,
> or you'll have to patch Linux-PAM locally; I recommend the former.

I will probably do the latter for now, at least. The modification to
the audit policy that would help would be to not log accesses of
/etc/shadow by certain programs running as non-root (only xscreensaver in
our environment). Unfortunately, SNARE does not support filtering by
program name, only user. Regardless, I do not think this would be an
allowable change. I also enumerated some other possibilities in a previous
post.

Thanks to all for helping to point out the limitations of my simple patch.
I now understand better when it will and will not work. That is why I
posted it to the list. 

I would still appreciate any additional comments on how to best resolve
the auditing issue.

Jon