On Fri, 27 Jan 2006 11:30:32 -0600, Les Mikesell wrote: > On Fri, 2006-01-27 at 10:30, Jonathan DeSena wrote: >> On Fri, 27 Jan 2006 16:17:46 +0100, Thorsten Kukuk wrote: >> > You don't need super-user rights, you only need the correct rights. >> > And this depends on which mode and owner/group /etc/shadow has. With >> > super-user rights you can of course always read it. >> >> Okay, now I understand what you meant. It is true that the permissions >> shadow file COULD be anything, however, it is traditional (I expected >> standard) that it be owned by root:root with permissions 0400. If not, >> it loses the whole point of the shadow file -- hiding passwords from >> regular users. Should not pam_unix EXPECT traditional permissions on >> /etc/shadow, given that it is the "standard Unix authentication module"? > > The common exception is where you want web authentication to use pam and > one of the methods you want to include is the system password file. In > this case you have to give httpd read access, probably by making shadow > group apache and group readable. If you are proposing a change that makes > this unnecessary, then root:root might be reasonable. You give httpd read access IF you do NOT have a setuid helper binary to do the read. This is why the setuid helper binary method exists -- to allow non-root processes that otherwise could not access the shadow file to authenticate shadow passwords using pam_unix. In your example, if httpd can be configured to use PAM, then by using pam_unix, the httpd need not have read access to /etc/shadow. I would configure the shadow password traditionally as above, configure httpd pam service to include pam_unix for authentication, and leave httpd binary with perms 0755. By the way, I have only set up httpd to do htpasswd type authentication, so I am not sure if the configuration I describe is possible. I am not sure I would use local unix passwords to authenticate web servers, even if it were possible. Jon _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
