On Fri, Jan 27, 2006 at 02:26:27PM -0500, Jonathan DeSena wrote: > > On Fri, 27 Jan 2006 11:30:32 -0600, Les Mikesell wrote: > >> The common exception is where you want web authentication to use pam and > >> one of the methods you want to include is the system password file. In > >> this case you have to give httpd read access, probably by making shadow > >> group apache and group readable. If you are proposing a change that > >> makes this unnecessary, then root:root might be reasonable. > > You give httpd read access IF you do NOT have a setuid helper binary to do > > the read. This is why the setuid helper binary method exists -- to allow > > non-root processes that otherwise could not access the shadow file to > > authenticate shadow passwords using pam_unix. > > In your example, if httpd can be configured to use PAM, then by using > > pam_unix, the httpd need not have read access to /etc/shadow. I would > > configure the shadow password traditionally as above, configure httpd pam > > service to include pam_unix for authentication, and leave httpd binary > > with perms 0755. > > By the way, I have only set up httpd to do htpasswd type authentication, > > so I am not sure if the configuration I describe is possible. I am not > > sure I would use local unix passwords to authenticate web servers, even if > > it were possible. > I see now that mod_auth_pam will allow apache to use PAM. The web page > suggests configuring as Les describes: making shadow group apache and > group readable. However, using pam_unix with helper setuid binary > obviates this and allows configuration as I described Except it does not, because the stock unix_chkpwd helper as distributed with Linux-PAM does not allow you to check passwords for any user except the one matching the current uid. So your patch is still incorrect. Either you need a better audit policy, or you'll have to patch Linux-PAM locally; I recommend the former. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. vorlon@xxxxxxxxxx http://www.debian.org/
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
