PAM authentification for apache

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi folks,

I'm using Debian potato (r2.2) with PAM-support v0.72.
For authenticating against apache (v1.3.9) I would like to
use PAM (libapache-mod-auth v0.8.5). 
I installed the mentioned modules and configured 
/etc/pam.d/hhtpd in the following manner:

auth	  required	  pam_unix_auth.so shadow audit
account	  required  	  pam_unix_acct.so shadow audit
password  required        pam_unix_passwd.so shadow audit

The configuration in apache looks like:
- the pam modules is loaded:
  LoadModule pam_auth_module /usr/lib/apache/1.3/mod_auth_pam.so
- the secured site is declared as:

  Alias /secure/ "/home/secure/"

  <Directory "/home/secure">
    Options Indexes FollowSymlinks
    AllowOverride AuthConfig
    AuthType Basic
    AuthName "====== secure user area ======"
    AuthAuthoritative on
    AuthPAM_Enabled on
    AuthPAM_FallThrough off
    require group projekte
    require user doedel
    Order allow,deny
    Allow from all
  </Directory>

When going to the site http://localhost/secure/ my netscape (v4.7)
asks me my for username and password. Using an apropriet user/password
apache rejects the connection.

The logging in /var/log/auth.log says:
 PAM_unix[3026]: authentication failure; (uid=33) -> xxx for httpd service
 (where xxx is the used username)

The logging in /var/log/apache/error.log says:
 [error] (25)Inappropriate ioctl for device: access to
 /secure/ failed for 127.0.0.1, reason: Authentication failure

After trying this for a while I set 
  chmod o+r /etc/shadow  
and there it works. But this cannot be the solution, because
shadow wouldn't be shadowing anymore.

So, after reverting this chmod, I made an strace of the apache running,
while connecting to the site:

Interesting are the marked points, where the reading of /etc/shadow is forbidden
first and the the tool unix_chkpwd is running afterwards with allowing to
read from /etc/shadow.

[pid   518] wait4(-1, 0xbffffcc8, WNOHANG, NULL) = 0
[pid   518] select(0, NULL, NULL, NULL, {1, 0} <unfinished ...>
[pid  1164] <... accept resumed> {sin_family=AF_INET, sin_port=htons(1087),
sin_addr=inet_addr("127.0.0.1")}}, [16]) = 3
[pid  1164] fcntl(20, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}) = 0
[pid  1164] rt_sigaction(SIGUSR1, {SIG_IGN}, {0x805b0f4, [], SA_INTERRUPT|0x4000000}, 8) = 0
[pid  1164] getsockname(3, {sin_family=AF_INET, sin_port=htons(80),
sin_addr=inet_addr("127.0.0.1")}}, [16]) = 0
[pid  1164] setsockopt(3, IPPROTO_TCP1, [1], 4) = 0
[pid  1164] read(3, "GET /secure/ HTTP/1.0\r\nConnection: K"..., 4096) = 273
[pid  1164] rt_sigaction(SIGUSR1, {SIG_IGN}, {SIG_IGN}, 8) = 0
[pid  1164] time(NULL)                  = 981892208
[pid  1164] gettimeofday({981892208, 826060}, NULL) = 0
[pid  1164] stat("/home/hs", ) = 0
[pid  1164] open("/home/secure/.htaccess", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid  1164] write(3, "HTTP/1.1 401 Authorization Requi"..., 707) = 707
[pid  1164] time(NULL)                  = 981892208
[pid  1164] write(18, "127.0.0.1 - - [11/Feb/2001:12"..., 74) = 74
[pid  1164] gettimeofday({981892208, 899724}, NULL) = 0
[pid  1164] times({tms_utime=0, tms_stime=1, tms_cutime=0, tms_cstime=0}) = 148086
[pid  1164] shutdown(3, 1 /* send */)   = 0
[pid  1164] select(4, [3], NULL, NULL, {2, 0} <unfinished ...>
[pid  1162] <... fcntl resumed> )       = 0
[pid  1162] accept(17,  <unfinished ...>
[pid   518] <... select resumed> )      = 0 (Timeout)
[pid   518] time(NULL)                  = 981892209
[pid   518] wait4(-1, 0xbffffcc8, WNOHANG, NULL) = 0
[pid   518] select(0, NULL, NULL, NULL, {1, 0}) = 0 (Timeout)
[pid   518] time(NULL)                  = 981892210
[pid   518] wait4(-1, 0xbffffcc8, WNOHANG, NULL) = 0
[pid   518] select(0, NULL, NULL, NULL, {1, 0} <unfinished ...>
[pid  1164] <... select resumed> )      = 0 (Timeout)
[pid  1164] close(3)                    = 0
[pid  1164] rt_sigaction(SIGUSR1, {0x805b0f4, [], SA_INTERRUPT|0x4000000}, {SIG_IGN}, 8) = 0
[pid  1164] fcntl(20, F_SETLKW, {type=F_WRLCK, whence=SEEK_SET, start=0, len=0} <unfinished ...>
[pid   518] <... select resumed> )      = 0 (Timeout)
[pid   518] time(NULL)                  = 981892211
[pid   518] wait4(-1, 0xbffffcc8, WNOHANG, NULL) = 0
[pid   518] select(0, NULL, NULL, NULL, {1, 0}) = 0 (Timeout)
[pid   518] time(NULL)                  = 981892212
[pid   518] wait4(-1, 0xbffffcc8, WNOHANG, NULL) = 0
[pid   518] select(0, NULL, NULL, NULL, {1, 0} <unfinished ...>
[pid  1162] <... accept resumed> {sin_family=AF_INET, sin_port=htons(1088),
sin_addr=inet_addr("127.0.0.1")}}, [16]) = 3
[pid  1162] fcntl(20, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0} <unfinished ...>
[pid  1164] <... fcntl resumed> )       = 0
[pid  1164] accept(17,  <unfinished ...>
[pid  1162] <... fcntl resumed> )       = 0
[pid  1162] rt_sigaction(SIGUSR1, {SIG_IGN}, {0x805b0f4, [], SA_INTERRUPT|0x4000000}, 8) = 0
[pid  1162] getsockname(3, {sin_family=AF_INET, sin_port=htons(80),
sin_addr=inet_addr("127.0.0.1")}}, [16]) = 0
[pid  1162] setsockopt(3, IPPROTO_TCP1, [1], 4) = 0
[pid  1162] read(3, "GET /secure/ HTTP/1.0\r\nConnection: K"..., 4096) = 312
[pid  1162] rt_sigaction(SIGUSR1, {SIG_IGN}, {SIG_IGN}, 8) = 0
[pid  1162] time(NULL)                  = 981892213
[pid  1162] gettimeofday({981892213, 113195}, NULL) = 0
[pid  1162] stat("/home/secure", ) = 0
[pid  1162] open("/home/secure/.htaccess", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid  1162] stat("/etc/pam.d", ) = 0
[pid  1162] open("/etc/pam.d/httpd", O_RDONLY) = 4
[pid  1162] fstat(4, ) = 0
[pid  1162] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40016000
[pid  1162] read(4, "auth	  required	  pam_uni"..., 4096) = 297
[pid  1162] open("/lib/security/pam_unix.so", O_RDONLY) = 5
[pid  1162] fstat(5, ) = 0
[pid  1162] read(5, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340#\0"..., 4096) = 4096
[pid  1162] old_mmap(NULL, 93652, PROT_READ|PROT_EXEC, MAP_PRIVATE, 5, 0) = 0x40235000
[pid  1162] mprotect(0x4023f000, 52692, PROT_NONE) = 0
[pid  1162] old_mmap(0x4023f000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 5, 0x9000) =
0x4023f000
[pid  1162] old_mmap(0x40240000, 48596, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS,
-1, 0) = 0x40240000
[pid  1162] close(5)                    = 0
[pid  1162] read(4, "", 4096)           = 0
[pid  1162] close(4)                    = 0
[pid  1162] munmap(0x40016000, 4096)    = 0
[pid  1162] open("/etc/pam.d/other", O_RDONLY) = 4
[pid  1162] fstat(4, ) = 0
[pid  1162] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40016000
[pid  1162] read(4, "#\n# /etc/pam.d/other - specify t"..., 4096) = 341
[pid  1162] read(4, "", 4096)           = 0
[pid  1162] close(4)                    = 0
[pid  1162] munmap(0x40016000, 4096)    = 0
[pid  1162] time(NULL)                  = 981892213
[pid  1162] time([981892213])           = 981892213
[pid  1162] getpid()                    = 1162
[pid  1162] rt_sigaction(SIGPIPE, {0x40140eec, [], 0x4000000}, {SIG_IGN}, 8) = 0
[pid  1162] getuid()                    = 33
[pid  1162] time([981892213])           = 981892213
[pid  1162] getpid()                    = 1162
[pid  1162] rt_sigaction(SIGPIPE, {0x40140eec, [], 0x4000000}, {SIG_IGN}, 8) = 0
[pid  1162] getuid()                    = 33
[pid  1162] open("/etc/passwd", O_RDONLY) = 4
[pid  1162] fcntl(4, F_GETFD)           = 0
[pid  1162] fcntl(4, F_SETFD, FD_CLOEXEC) = 0
[pid  1162] fstat(4, ) = 0
[pid  1162] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40016000
[pid  1162] _llseek(4, 0, [0], SEEK_CUR) = 0
[pid  1162] read(4, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1755
[pid  1162] close(4)                    = 0
[pid  1162] munmap(0x40016000, 4096)    = 0

!!!
[pid  1162] open("/etc/shadow", O_RDONLY) = -1 EACCES (Permission denied)
[pid  1162] geteuid()                   = 33
[pid  1162] pipe([4, 5])                = 0
[pid  1162] fork()                      = 2117
[pid  1162] close(4)                    = 0
[pid  1162] write(5, "nonull\0\0", 8)   = 8
[pid  1162] write(5, "xxxxx\0", 9)   = 9     !! here the entred password
[pid  1162] close(5)                    = 0
[pid  1162] wait4(2117,  <unfinished ...>
[pid  2117] close(5)                    = 0
[pid  2117] dup2(4, 0)                  = 0
[pid  2117] execve("/sbin/unix_chkpwd", ["/sbin/unix_chkpwd"], []) = 0
[pid  2117] brk(0)                      = 0x804c614
[pid  2117] open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid  2117] open("/etc/ld.so.cache", O_RDONLY) = 5
[pid  2117] fstat(5, ) = 0
[pid  2117] old_mmap(NULL, 13799, PROT_READ, MAP_PRIVATE, 5, 0) = 0x40014000
[pid  2117] close(5)                    = 0
[pid  2117] open("/lib/libnsl.so.1", O_RDONLY) = 5
[pid  2117] fstat(5, ) = 0
[pid  2117] read(5, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0@\0\000"..., 4096) = 4096
[pid  2117] old_mmap(NULL, 88200, PROT_READ|PROT_EXEC, MAP_PRIVATE, 5, 0) = 0x40018000
[pid  2117] mprotect(0x4002a000, 14472, PROT_NONE) = 0
[pid  2117] old_mmap(0x4002a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 5, 0x11000) =
0x4002a000
[pid  2117] old_mmap(0x4002c000, 6280, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS,
-1, 0) = 0x4002c000
[pid  2117] close(5)                    = 0
[pid  2117] open("/lib/libcrypt.so.1", O_RDONLY) = 5
[pid  2117] fstat(5, ) = 0
[pid  2117] read(5, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340\16"..., 4096) = 4096
[pid  2117] old_mmap(NULL, 183228, PROT_READ|PROT_EXEC, MAP_PRIVATE, 5, 0) = 0x4002e000
[pid  2117] mprotect(0x40033000, 162748, PROT_NONE) = 0
[pid  2117] old_mmap(0x40033000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 5, 0x4000) =
0x40033000
[pid  2117] old_mmap(0x40034000, 158652, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS,
-1, 0) = 0x40034000
[pid  2117] close(5)                    = 0
[pid  2117] open("/lib/libc.so.6", O_RDONLY) = 5
[pid  2117] fstat(5, ) = 0
[pid  2117] read(5, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\264\213"..., 4096) = 4096
[pid  2117] old_mmap(NULL, 902044, PROT_READ|PROT_EXEC, MAP_PRIVATE, 5, 0) = 0x4005b000
[pid  2117] mprotect(0x40130000, 29596, PROT_NONE) = 0
[pid  2117] old_mmap(0x40130000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 5, 0xd4000) =
0x40130000
[pid  2117] old_mmap(0x40134000, 13212, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS,
-1, 0) = 0x40134000
[pid  2117] close(5)                    = 0
[pid  2117] munmap(0x40014000, 13799)   = 0
[pid  2117] personality(PER_LINUX)      = 0
[pid  2117] getpid()                    = 2117
[pid  2117] fcntl(0, F_GETFD)           = 0
[pid  2117] fcntl(1, F_GETFD)           = 0
[pid  2117] fcntl(2, F_GETFD)           = 0
[pid  2117] rt_sigaction(SIGILL, {0x8048b4c, [], SA_ONESHOT|0x4000000}, NULL, 8) = 0
[pid  2117] rt_sigaction(SIGTRAP, {0x8048b4c, [], SA_ONESHOT|0x4000000}, NULL, 8) = 0
[pid  2117] rt_sigaction(SIGBUS, {0x8048b4c, [], SA_ONESHOT|0x4000000}, NULL, 8) = 0
[pid  2117] rt_sigaction(SIGSEGV, {0x8048b4c, [], SA_ONESHOT|0x4000000}, NULL, 8) = 0
[pid  2117] rt_sigaction(SIGTERM, {SIG_IGN}, NULL, 8) = 0
[pid  2117] rt_sigaction(SIGHUP, {SIG_IGN}, NULL, 8) = 0
[pid  2117] rt_sigaction(SIGINT, {SIG_IGN}, NULL, 8) = 0
[pid  2117] rt_sigaction(SIGQUIT, {SIG_IGN}, NULL, 8) = 0
[pid  2117] ioctl(0, TCGETS, 0xbffffd48) = -1 EINVAL (Invalid argument)
[pid  2117] getuid()                    = 33
[pid  2117] brk(0)                      = 0x804c614
[pid  2117] brk(0x804ca2c)              = 0x804ca2c
[pid  2117] brk(0x804d000)              = 0x804d000
[pid  2117] socket(PF_UNIX, SOCK_STREAM, 0) = 5
[pid  2117] connect(5, ) = -1 ECONNREFUSED (Connection refused)
[pid  2117] close(5)                    = 0
[pid  2117] open("/etc/nsswitch.conf", O_RDONLY) = 5
[pid  2117] fstat(5, ) = 0
[pid  2117] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40014000
[pid  2117] read(5, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 465
[pid  2117] read(5, "", 4096)           = 0
[pid  2117] close(5)                    = 0
[pid  2117] munmap(0x40014000, 4096)    = 0
[pid  2117] open("/etc/ld.so.cache", O_RDONLY) = 5
[pid  2117] fstat(5, ) = 0
[pid  2117] old_mmap(NULL, 13799, PROT_READ, MAP_PRIVATE, 5, 0) = 0x40014000
[pid  2117] close(5)                    = 0
[pid  2117] open("/lib/libnss_compat.so.2", O_RDONLY) = 5
[pid  2117] fstat(5, ) = 0
[pid  2117] read(5, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000\31\0"..., 4096) = 4096
[pid  2117] brk(0x804e000)              = 0x804e000
[pid  2117] old_mmap(NULL, 44332, PROT_READ|PROT_EXEC, MAP_PRIVATE, 5, 0) = 0x40138000
[pid  2117] mprotect(0x40142000, 3372, PROT_NONE) = 0
[pid  2117] old_mmap(0x40142000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 5, 0x9000) =
0x40142000
[pid  2117] close(5)                    = 0
[pid  2117] munmap(0x40014000, 13799)   = 0
[pid  2117] uname({sysname="Linux", ) = 0
[pid  2117] open("/etc/passwd", O_RDONLY) = 5
[pid  2117] fcntl(5, F_GETFD)           = 0
[pid  2117] fcntl(5, F_SETFD, FD_CLOEXEC) = 0
[pid  2117] fstat(5, ) = 0
[pid  2117] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40014000
[pid  2117] _llseek(5, 0, [0], SEEK_CUR) = 0
[pid  2117] read(5, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1755
[pid  2117] close(5)                    = 0
[pid  2117] munmap(0x40014000, 4096)    = 0
[pid  2117] read(0, "nonull\0\0", 8)    = 8

!!!
[pid  2117] read(0, "xxxxx\0", 200)  = 9    !! here the entered password
[pid  2117] open("/etc/passwd", O_RDONLY) = 5
[pid  2117] fcntl(5, F_GETFD)           = 0
[pid  2117] fcntl(5, F_SETFD, FD_CLOEXEC) = 0
[pid  2117] open("/etc/passwd", O_RDONLY) = 6
[pid  2117] fcntl(6, F_GETFD)           = 0
[pid  2117] fcntl(6, F_SETFD, FD_CLOEXEC) = 0
[pid  2117] fstat(6, ) = 0
[pid  2117] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40014000
[pid  2117] _llseek(6, 0, [0], SEEK_CUR) = 0
[pid  2117] read(6, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1755
[pid  2117] close(6)                    = 0
[pid  2117] munmap(0x40014000, 4096)    = 0
[pid  2117] close(5)                    = 0
[pid  2117] open("/etc/shadow", O_RDONLY) = 5
[pid  2117] fcntl(5, F_GETFD)           = 0
[pid  2117] fcntl(5, F_SETFD, FD_CLOEXEC) = 0

!!!
[pid  2117] open("/etc/shadow", O_RDONLY) = 6
[pid  2117] fcntl(6, F_GETFD)           = 0
[pid  2117] fcntl(6, F_SETFD, FD_CLOEXEC) = 0
[pid  2117] fstat(6, ) = 0
[pid  2117] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40014000
[pid  2117] _llseek(6, 0, [0], SEEK_CUR) = 0
[pid  2117] read(6, "root:xxxxxxx:10901:0:99999"..., 4096) = 1157
[pid  2117] close(6)                    = 0
[pid  2117] munmap(0x40014000, 4096)    = 0
[pid  2117] close(5)                    = 0
[pid  2117] _exit(0)                    = ?
[pid  1162] <... wait4 resumed> [WIFEXITED(s) && WEXITSTATUS(s) == 0], 0, NULL) = 2117
[pid  1162] --- SIGCHLD (Child exited) ---


I also tested the tool /sbin/unix_chkpwd with
 echo -n "nonull  xxxx" | /sbin/unix_chkpwd && echo ok
where xxxx is the password of the logged user; it's ok.


Can anyone help me ?? Is anyone else using PAM in this way ??

Thanks!

-- 
Stefan-W. Hahn / mailto:stefan.hahn@online.de /





[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux