On Fri, 27 Jan 2006 14:22:56 -0800, Steve Langasek wrote: >> I see now that mod_auth_pam will allow apache to use PAM. The web page >> suggests configuring as Les describes: making shadow group apache and >> group readable. However, using pam_unix with helper setuid binary >> obviates this and allows configuration as I described > > Except it does not, because the stock unix_chkpwd helper as distributed > with Linux-PAM does not allow you to check passwords for any user except > the one matching the current uid. Yes, I corrected myself in a follow-up. > So your patch is still incorrect. Either you need a better audit policy, > or you'll have to patch Linux-PAM locally; I recommend the former. I will probably do the latter for now, at least. The modification to the audit policy that would help would be to not log accesses of /etc/shadow by certain programs running as non-root (only xscreensaver in our environment). Unfortunately, SNARE does not support filtering by program name, only user. Regardless, I do not think this would be an allowable change. I also enumerated some other possibilities in a previous post. Thanks to all for helping to point out the limitations of my simple patch. I now understand better when it will and will not work. That is why I posted it to the list. I would still appreciate any additional comments on how to best resolve the auditing issue. Jon _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
