Add new comment
|
The only other way to do this is with PAM. That method is dangerous because the apache user (www-data in my case) must be able to read /etc/shadow. I don't know about Debian, but under most distributions, it is safe to authenticate against /etc/shadow using pam_unix, since there is a setuid wrapper which validates access from pam_unix running as non-root and allows the checking of one user's password (no read access to passwords is provided). This seems to be a better solution than what you have described is done by mod_auth_shadow (and used by many more applications than just apache), but your description is not comprehensive ("owned by root" is insufficient to provide access to /etc/shadow, I assume you actually mean setuid root). As such, I think a more comprehensive (and accurate regarding setuid, and mechanisms in place to prevent abuse) discussion of the security differences would be in order, if you propose this as a more secure solution than mod_auth_external and PAM.
Reply |



Recent comments
15 hours 3 min ago
19 hours 53 min ago
1 day 41 min ago
1 day 3 hours ago
1 day 3 hours ago
1 day 3 hours ago
1 day 7 hours ago
1 day 8 hours ago
1 day 10 hours ago
1 day 17 hours ago