I actually ended up modifying the unix_chkpwd.c source to allow defining (via #define) a user which is allowed to do lookups on behalf of other uids. Seems like this should make it easy enough for customers to build this version, if they accept the security consequences of doing so. Opening up the shadow file to promiscuous access *doesn't* seem like a good approach to me -- lesser is better, imo, and limiting access to a single uid seems like the lesser of two evils here. Thanks for the feedback. <Steve> Steve Langasek wrote: > > On Mon, Apr 29, 2002 at 11:49:44AM -0400, Stephen Reppucci wrote: > > I'm trying to get a web-based application to authenticate using > PAM > > (via perl's Authen::PAM module). > > > My test scripts work fine, as long as I'm authenticating the same > > user that the scripts are running under. When I plug my stuff into > a > > cgi script however (apache web server running as user 'nobody' on > > Linux, with PAM 0.75), authentication fails. > > > Reading through this thread: > > > http://archives.neohapsis.com/archives/pam-list/2001-02/0100.html > > > I realize that the /sbin/unix_chkpwd script is likely disallowing > > lookups for uids not matching the effective uid of the requesting > > process. > > > The thread suggests cobbling together a version of unix_chkpwd > that > > allows this type of lookup for the web server user. I'm not > certain > > that my typical customer will want to accept (nor, be able to > > correctly compile it, for that matter...) this as a solution. > > > So, anyone have a generic solution that solves this? Or should I > > just hack up a version of unix_chkpwd and try to include as > detailed > > building instructions as possible? > > When deciding what processes to allow access to /etc/shadow, you > have to > make some choices between security and convenience. You basically > have > two options. You can create a unix_chkpwd helper that implements > different sanity checks on the incoming requests, to meet your > clients' > needs; or, if you don't feel that you can implement this in a way > that > will be easy enough for your clients to get a handle on, you can > advise > them to change the file permissions on /etc/shadow to grant the > webserver user direct read access to the file. > > Steve Langasek > postmodern programmer -- Steve Reppucci sgr@logsoft.com | Logical Choice Software http://logsoft.com/ | =-=-=-=-=-=-=-=-=-=- My God! What have I done? -=-=-=-=-=-=-=-=-=-=
