On Mon, Apr 29, 2002 at 11:49:44AM -0400, Stephen Reppucci wrote: > I just joined the list, so be gentle ;^) > I'm trying to get a web-based application to authenticate using PAM > (via perl's Authen::PAM module). > My test scripts work fine, as long as I'm authenticating the same > user that the scripts are running under. When I plug my stuff into a > cgi script however (apache web server running as user 'nobody' on > Linux, with PAM 0.75), authentication fails. > Reading through this thread: > http://archives.neohapsis.com/archives/pam-list/2001-02/0100.html > I realize that the /sbin/unix_chkpwd script is likely disallowing > lookups for uids not matching the effective uid of the requesting > process. > The thread suggests cobbling together a version of unix_chkpwd that > allows this type of lookup for the web server user. I'm not certain > that my typical customer will want to accept (nor, be able to > correctly compile it, for that matter...) this as a solution. > So, anyone have a generic solution that solves this? Or should I > just hack up a version of unix_chkpwd and try to include as detailed > building instructions as possible? When deciding what processes to allow access to /etc/shadow, you have to make some choices between security and convenience. You basically have two options. You can create a unix_chkpwd helper that implements different sanity checks on the incoming requests, to meet your clients' needs; or, if you don't feel that you can implement this in a way that will be easy enough for your clients to get a handle on, you can advise them to change the file permissions on /etc/shadow to grant the webserver user direct read access to the file. Steve Langasek postmodern programmer
Attachment:
pgp00048.pgp
Description: PGP signature
