On Thu, Aug 02, 2012 at 05:36:55PM +0200, Wolfgang Draxinger wrote: > I'm currently trying to configure user authentication on a webserver, > that shall use the normal system user names and passwords. I'm using > Nginx as webserver, together with the auth_pam module, as packages by > Debian wheezy. > I expected that since unix_chkpw is set setgid shadow I could use > pam_unix.so for the webserver service just as is. However it turned > out, that the user for the webserver process must be in the group > "shadow" for authentication to work. If the webserver can't read shadow > it doesn't work. > I was under the impression the idea of unix_chkpw was to have process > separation and by having a thoroughly audited helper program, that can > be setgid safely so that a regular user can perform pam_unix.so tests. It's so that a regular user can *self* authenticate. Allowing users to call this setgid helper directly for other accounts would let them use it for brute forcing of passwords. So no, what you're asking for is disallowed by design. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slangasek@xxxxxxxxxx vorlon@xxxxxxxxxx
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
