[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CALL for PAM support

On Sun, May 23, 1999 at 09:33:36AM -0400, Michael Alan Dorman wrote:
> Ben Collins <bcollins@debian.org> writes:
> > There is a libapache-mod-pam, which enables apache auth using PAM
> > modules, already packaged. It has some drawbacks due to permissions
> > (apache runs as www-data so it cannot access /etc/shadow). This can't
> > be avoided however.
>
> Um, doesn't libpwdb take care of this?  I would swear (though I can't
> confirm it right now, or I would) that I had apache running the
> mod_pam module authenticating against shadow with no problems, *once I
> installed libpwdb*.

No. pam_pwdb modules uses an external program that is sgid shadow to
authenticate users without having the calling program be sgid shadow.
However it only authenticates the calling user (www-data in this case),
so it wont work for any normal users.

--
-----    -- - -------- --------- ----  -------  -----  - - ---   --------
Ben Collins <bcollins@debian.org>                        Debian GNU/Linux
OpenLDAP Dev - bcollins@openldap.org     The Choice of the GNU Generation
------ -- ----- - - -------   ------- -- ---- - -------- - --- ---- -  --
Reply to: