pam_unix.so and unix_chkpw setgid - does it work for regular users?
Steve Langasek
vorlon at debian.org
Thu Aug 2 19:47:36 UTC 2012
On Thu, Aug 02, 2012 at 05:36:55PM +0200, Wolfgang Draxinger wrote:
> I'm currently trying to configure user authentication on a webserver,
> that shall use the normal system user names and passwords. I'm using
> Nginx as webserver, together with the auth_pam module, as packages by
> Debian wheezy.
> I expected that since unix_chkpw is set setgid shadow I could use
> pam_unix.so for the webserver service just as is. However it turned
> out, that the user for the webserver process must be in the group
> "shadow" for authentication to work. If the webserver can't read shadow
> it doesn't work.
> I was under the impression the idea of unix_chkpw was to have process
> separation and by having a thoroughly audited helper program, that can
> be setgid safely so that a regular user can perform pam_unix.so tests.
It's so that a regular user can *self* authenticate. Allowing users to call
this setgid helper directly for other accounts would let them use it for
brute forcing of passwords. So no, what you're asking for is disallowed by
design.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek at ubuntu.com vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/pam-list/attachments/20120802/433974ce/attachment.sig>
More information about the Pam-list
mailing list