> On Fri, 27 Jan 2006 11:30:32 -0600, Les Mikesell wrote: >> The common exception is where you want web authentication to use pam and >> one of the methods you want to include is the system password file. In >> this case you have to give httpd read access, probably by making shadow >> group apache and group readable. If you are proposing a change that >> makes this unnecessary, then root:root might be reasonable. > > You give httpd read access IF you do NOT have a setuid helper binary to do > the read. This is why the setuid helper binary method exists -- to allow > non-root processes that otherwise could not access the shadow file to > authenticate shadow passwords using pam_unix. > > In your example, if httpd can be configured to use PAM, then by using > pam_unix, the httpd need not have read access to /etc/shadow. I would > configure the shadow password traditionally as above, configure httpd pam > service to include pam_unix for authentication, and leave httpd binary > with perms 0755. > > By the way, I have only set up httpd to do htpasswd type authentication, > so I am not sure if the configuration I describe is possible. I am not > sure I would use local unix passwords to authenticate web servers, even if > it were possible. I see now that mod_auth_pam will allow apache to use PAM. The web page suggests configuring as Les describes: making shadow group apache and group readable. However, using pam_unix with helper setuid binary obviates this and allows configuration as I described (which seems nicer to me, except for the audit log entries that will be generated with current pam_unix). Jon _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
