Re: PAM modules violating PAM architecture?, e.g. mod_auth_pam

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At 12:24 PM 10/6/2004, Kenneth Porter wrote:
--On Wednesday, October 06, 2004 11:44 AM -0700 Jed Donnelley <jed@xxxxxxxxx> wrote:

Specifically, rather than going through PAM modules as specified in the
pam.d configuration file (e.g. pam.d/httpd in the case I am focusing on),
mod_auth_pam punches through directly to base underlying Unix calls
including getpwnam and getgrnam (calls that don't lay on top of PAM) for
parts of its function.

The mod_auth_external module was pointed out to me this morning as an alternative to mod_auth_pam:


<http://www.unixpapa.com/mod_auth_external.html>

One would use this in combination with the pwauth helper binary:

<http://www.unixpapa.com/pwauth/>

The latter does the actual PAM authentication, using pipes for IPC.

Thanks for the note Kenneth. Since the primary purpose of mod_auth_external seems to be allowing authentication from /etc/shadow without making /etc/shadow readable by the httpd user, e.g. from:


http://www.unixpapa.com/pwauth/

"Mod_auth_pam or mod_auth_system can ... authenticate <to local /etc/files > only if you make the shadow password file readable to the http server. This means that if there are any exploitable vulnerabilities in the http server, then it may be possible for people to grab a copy of your shadow password file. Worse, any CGI program on your system which is not run under suExec or cgiwrap also has read access to your shadow password database, and any bugs in these might also expose your entire password database. When mod_auth_external and pwauth are used, neither the http server nor any CGI programs are given access to the shadow database."

, its use seems to be somewhat orthogonal to my needs. I don't allow my apache user to read /etc/shadow because I want my authentication to come remotely from LDAP and not locally. I can see that for others that might want password information to come more securely from /etc/shadow the mod_auth_external (or mod_auth_shadow?) could be useful.

While in principle using mod_auth_external in lieu of mod_auth_pam might help my problem if mod_auth_external does its authentication strictly through PAM, in practice for me I think the cost of another suid program and the configuration costs are likely not worth the work for my situation, especially given that I have a working solution with the modifications that I made to mod_auth_pam. Thanks for the thought though!

--Jed http://www.webstart.com/jed/

_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux