> I just joined the list, so be gentle ;^)
> I'm trying to get a web-based application to authenticate using PAM
> (via perl's Authen:AM module).
> My test scripts work fine, as long as I'm authenticating the same
> user that the scripts are running under. When I plug my stuff into a
> cgi script however (apache web server running as user 'nobody' on
> Linux, with PAM 0.75), authentication fails.
> Reading through this thread:
>
http://archives.neohapsis.com/archives/pam-list/2001-02/0100.html
> I realize that the /sbin/unix_chkpwd script is likely disallowing
> lookups for uids not matching the effective uid of the requesting
> process.
> The thread suggests cobbling together a version of unix_chkpwd that
> allows this type of lookup for the web server user. I'm not certain
> that my typical customer will want to accept (nor, be able to
> correctly compile it, for that matter...) this as a solution.
> So, anyone have a generic solution that solves this? Or should I
> just hack up a version of unix_chkpwd and try to include as detailed
> building instructions as possible?
When deciding what processes to allow access to /etc/shadow, you have to
make some choices between security and convenience. You basically have
two options. You can create a unix_chkpwd helper that implements
different sanity checks on the incoming requests, to meet your clients'
needs; or, if you don't feel that you can implement this in a way that
will be easy enough for your clients to get a handle on, you can advise
them to change the file permissions on /etc/shadow to grant the
webserver user direct read access to the file.
Steve Langasek
postmodern programmer