[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: (more) /etc/shadow problems



On Mon, Apr 29, 2002 at 11:49:44AM -0400, Stephen Reppucci wrote:

> I just joined the list, so be gentle ;^)

> I'm trying to get a web-based application to authenticate using PAM
> (via perl's Authen::PAM module).

> My test scripts work fine, as long as I'm authenticating the same
> user that the scripts are running under. When I plug my stuff into a
> cgi script however (apache web server running as user 'nobody' on
> Linux, with PAM 0.75), authentication fails.

> Reading through this thread:

>   http://archives.neohapsis.com/archives/pam-list/2001-02/0100.html

> I realize that the /sbin/unix_chkpwd script is likely disallowing
> lookups for uids not matching the effective uid of the requesting
> process.

> The thread suggests cobbling together a version of unix_chkpwd that
> allows this type of lookup for the web server user. I'm not certain
> that my typical customer will want to accept (nor, be able to
> correctly compile it, for that matter...) this as a solution.

> So, anyone have a generic solution that solves this? Or should I
> just hack up a version of unix_chkpwd and try to include as detailed
> building instructions as possible?

When deciding what processes to allow access to /etc/shadow, you have to
make some choices between security and convenience.  You basically have
two options.  You can create a unix_chkpwd helper that implements
different sanity checks on the incoming requests, to meet your clients'
needs; or, if you don't feel that you can implement this in a way that
will be easy enough for your clients to get a handle on, you can advise
them to change the file permissions on /etc/shadow to grant the 
webserver user direct read access to the file.

Steve Langasek
postmodern programmer

Attachment: pgp00005.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []