Re: pam_unix opens /etc/shadow as regular user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On Fri, 27 Jan 2006 11:30:32 -0600, Les Mikesell wrote:
>> The common exception is where you want web authentication to use pam and
>> one of the methods you want to include is the system password file.  In
>> this case you have to give httpd read access, probably by making shadow
>> group apache and group readable.  If you are proposing a change that
>> makes this unnecessary, then root:root might be reasonable.
> 
> You give httpd read access IF you do NOT have a setuid helper binary to do
> the read. This is why the setuid helper binary method exists -- to allow
> non-root processes that otherwise could not access the shadow file to
> authenticate shadow passwords using pam_unix.
> 
> In your example, if httpd can be configured to use PAM, then by using
> pam_unix, the httpd need not have read access to /etc/shadow. I would
> configure the shadow password traditionally as above, configure httpd pam
> service to include pam_unix for authentication, and leave httpd binary
> with perms 0755.
> 
> By the way, I have only set up httpd to do htpasswd type authentication,
> so I am not sure if the configuration I describe is possible. I am not
> sure I would use local unix passwords to authenticate web servers, even if
> it were possible.

I see now that mod_auth_pam will allow apache to use PAM. The web page
suggests configuring as Les describes: making shadow group apache and
group readable. However, using pam_unix with helper setuid binary
obviates this and allows configuration as I described (which seems nicer
to me, except for the audit log entries that will be generated with
current pam_unix).

Jon

_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux