Comments on Install and Configure Auth Shadow on Debian/Ubuntu

Install and Configure Auth Shadow on Debian/Ubuntu Auth Shadow or mod-auth-shadow is a module for apache (and apache2, sort of) that enables authentication against /etc/shadow. The benefits being that any system user with a password can be authenticated for web_dav, subversion or simply an https server. The only other way to do this is with PAM. That method is dangerous because the apache user (www-data in my case) must be able to read /etc/shadow. Obviously, not a good idea. Auth Shadow accomplishes this safely by using a intermediate program called validate. This works because validate can be owned by root but executable by everyone. In the event that your server is compromised through apache, your password file will not be readable.

3 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: Thanatos

Your statement is not correct. This method does not require access to the /etc/shadow file for www-data. It uses an intermediary script to authenticate the user.

By:

The only other way to do this is with PAM. That method is dangerous because the apache user (www-data in my case) must be able to read /etc/shadow.

I don't know about Debian, but under most distributions, it is safe to authenticate against /etc/shadow using pam_unix, since there is a setuid wrapper which validates access from pam_unix running as non-root and allows the checking of one user's password (no read access to passwords is provided).

This seems to be a better solution than what you have described is done by mod_auth_shadow (and used by many more applications than just apache), but your description is not comprehensive ("owned by root" is insufficient to provide access to /etc/shadow, I assume you actually mean setuid root). As such, I think a more comprehensive (and accurate regarding setuid, and mechanisms in place to prevent abuse) discussion of the security differences would be in order, if you propose this as a more secure solution than mod_auth_external and PAM.

By:

The comment about using PAM got my hopes up, but alas. The mod_auth_pam documentation says that apache still requires read-access to the shadow file when using pam_unix: http://pam.sourceforge.net/mod_auth_pam/shadow.html